HypurrFi discloses vulnerabilities in the early version of Aave V3 and has suspended new lending for the XAUT0 and UBTC markets

HyperEVM's native non-custodial lending protocol HypurrFi stated on platform X that there is a "rounding error" vulnerability in versions prior to Aave V3 3.5. Under specific conditions, an attacker could extract underlying tokens by repeatedly executing supply/extract and borrow/repay loop operations.

The affected markets are XAUT0 and UBTC in HypurrFi Pooled. Currently, user funds are not at risk. To ensure safety, related markets have suspended new supply and lending operations, while withdrawal and repayment functions remain operational, and other markets are running normally. HypurrFi added that it quickly identified the issue on-chain through its internal monitoring system and promptly froze the affected markets. They are also collaborating with other Aave deployers and security researchers to address the issue and have invited other Aave fork projects to reach out for more security information.