慢雾：Aurellion因漏洞遭攻击，约45.5万美元USDC被盗

Odaily reports that SlowMist has issued a security alert stating that Aurellion has been attacked, resulting in a loss of approximately 455,003 USDC (approximately $455,000).

Analysis indicates that the root cause of the vulnerability is the lack of effective protection in the initialize(address) function within the SafeOwnable Facet. Because the Diamond contract did not go through the initialization path when setting the owner, the _initialized version slot was not updated correctly, allowing the attacker to reinitialize the contract and overwrite the owner's permissions.

Subsequently, the attacker called diamondCut to inject a malicious Facet and used the malicious pullERC20 function to transfer USDC assets from authorized users, ultimately completing the theft of funds.

Relevant addresses are as follows:

Victim Contract: 0x0adc63e71b035d5c7fdb1b4593999fa1f296f1b2

Vulnerable Facet: 0x3ca79c1cf29b8d19f7c643bb6e6bc9c49762e70f

Attacker Address: 0x9f49591a3bf95b49cd8d9477b4481ce9da68d5ca

Currently, the attacker has taken ownership of the Diamond contract and has withdrawn USDC from several authorized addresses, including 0x2e933518..., 0xa90714a1..., and 0xeced2d37..., among others.