On August 2024, AAVE suffered a arbitrary call — the first of 21 documented arbitrary call incidents in our archive where the loss figure was not publicly disclosed but the exploit pattern is documented below.
Attack Mechanics: How the AAVE Arbitrary Call Played Out
Exploit Class Applied to AAVE
The AAVE incident on August 28, 2024 is classified as a Arbitrary Call. The contract executes an external call with attacker-controlled target or calldata, letting them impersonate the contract. In the full archive, AAVE is 1 of 21 documented arbitrary call incidents.
AAVE in Context
The AAVE incident joins a class whose largest loss to date is Seneca (2024) at $6M.
Prior Arbitrary Call Before AAVE
The nearest arbitrary call incident before AAVE was YodlRouter, 14 days earlier on August 14, 2024 ($5K lost). The same exploit class surfaced again within the arbitrary call attack surface.
AAVE Vulnerability Signature
The primary source categorises the AAVE exploit specifically as “Arbitrary Call Error”. This narrower label is entity-specific: it reflects how the AAVE contract failed, rather than the broad arbitrary call pattern alone.
Impact & Recovery for AAVE
AAVE Loss Figure
The loss figure for AAVE is not publicly disclosed. The primary source reports the exploit in non-USD terms, so no USD estimate is published here. For reference, the average loss across 21 arbitrary call incidents in our archive is $783.5K.
Timeline Since the AAVE Incident
The AAVE exploit occurred 1.6 years ago (594 days). The contract, its fork-block, and the attack transaction remain on-chain and forensically reproducible.
Primary Reference for AAVE
Public post-mortem / on-chain analysis for the AAVE incident: view source.
FAQ
How much did AAVE lose?
The AAVE loss figure is not publicly disclosed. The primary source reports the exploit in non-USD token terms, so no USD estimate is published here.
When did the AAVE hack happen?
The AAVE exploit was recorded on August 28, 2024 — 594 days ago.
What type of exploit hit AAVE?
The AAVE incident is classified as a Arbitrary Call. The contract executes an external call with attacker-controlled target or calldata, letting them impersonate the contract.
How common is the Arbitrary Call pattern seen at AAVE?
Our archive contains 21 documented arbitrary call incidents. The AAVE incident is one of them.
How does AAVE compare to the largest Arbitrary Call attack?
The largest arbitrary call incident in our archive is Seneca (2024) at $6M. The AAVE loss was not publicly disclosed.
What are the design goals of the proposed cross-chain transaction protocol?
The goals include unlinkability, public verifiability, offline tolerance, and privacy preservation.
How do signature aggregations work within the framework?
By combining multiple digital signatures into a single proof to streamline authentication.