Active drainer campaign exploiting WETH freeze narrative — on-chain evidence

untimed5075 · April 21, 2026, 6:40pm

Summary

I’m reporting an active drainer campaign on Arbitrum that appears to be exploiting the current rsETH/WETH freeze narrative to phish WETH suppliers. Sharing on-chain evidence here so the community, the security team, and other potentially affected users can assess and respond.

This is not a protocol vulnerability — Aave contracts behaved as designed. The attack vector is an off-chain phishing signature (likely Permit2 or EIP-2612) that the victim was tricked into signing, allowing a malicious contract to transfer aArbWETH out of the victim’s wallet.

Incident details

Date: April 21, 2026
Network: Arbitrum One
Transaction: 0x91387c707ad738910d5dc2bf4b63c784e676ea6d97f739077ef806c757603171
Block: #454823544
Asset drained: aArbWETH (Aave V3 Arbitrum WETH aToken)
Amount: 10.148 aArbWETH (~$23,373 at time of incident)

Addresses involved

Victim wallet: 0x2D417D819a296C78cD820086DF95B424506fbe6D
Malicious contract (drainer): 0x57317486E83a567B0b90d592A2CE1f9f1af66963
Transaction executor (EOA): 0xf738d96c856aE6f8c86c7DEF8D9D373C8236938e
Final recipient 1 (~15% split): [PASTE FULL 0x602D...93b1 HERE]
Final recipient 2 (~85% split): [PASTE FULL 0x4544...e6DC HERE]

Pattern analysis

Within the same transaction, the drainer contract split the stolen aArbWETH between two addresses in a ~15/85 ratio:

1.522 aArbWETH → recipient 1 (~$3,506)
8.625 aArbWETH → recipient 2 (~$19,867)

This split ratio is consistent with drainer-as-a-service kits (Inferno Drainer, Angel Drainer, Pink Drainer, etc.), where ~15% typically goes to the kit developer and ~85% to the operator. This suggests a commoditized campaign, not an isolated incident, which means other Aave users are likely being targeted with the same contract.

Why this matters now

The stolen funds are currently held as aArbWETH, which the attacker cannot redeem for WETH because:

Arbitrum WETH reserve is currently frozen by the Protocol Guardian (precautionary measure following the rsETH incident)
WETH pool is at 100% utilization

This gives an unusually large window for detection and response before the attacker can monetize the position. Likely monetization paths the attacker may attempt:

Depositing aArbWETH as collateral on Aave V3 Arbitrum and borrowing stablecoins against it
Secondary market sale of aArbWETH at a discount
Waiting for WETH reserve unfreeze

Requests to the community

Security providers (BGD Labs, Chaos Labs, LlamaRisk): can the drainer contract 0x57317486E83a567B0b90d592A2CE1f9f1af66963 be reviewed to identify the signature type it exploits and confirm whether this campaign is active against other users?
Has anyone else on the forum been affected by the same contract or a similar phishing flow in the past 72 hours? Please reply with evidence so victims can be aggregated.
Is there a recommended channel for Aave to issue a public warning about phishing campaigns exploiting the current WETH freeze narrative? Many users are searching for “emergency WETH exit” routes and are likely to encounter similar scams.

Actions already taken

Victim wallet has been abandoned; remaining collateral (WBTC) moved to a fresh wallet
Outstanding USDT debt repaid to eliminate liquidation risk
Approvals revoked on the compromised wallet
Incident documented for law enforcement filing

Disclaimer

Posting as an affected user, not a service provider. All information above is verifiable on-chain. I’m not requesting a treasury bailout or any governance action specific to my case — the goal of this post is to surface a potentially active attack vector and protect other users.

Happy to provide additional technical details or transaction traces if helpful.

robtg4 · April 22, 2026, 3:09pm

Important community alert. The on-chain forensics here are solid — the 15/85 drainer-as-a-service split, the aArbWETH theft vector, and the frozen reserve dynamics all check out.

What I want to highlight is the failure mode this reveals: governance actions themselves create phishing surfaces. The WETH freeze on Aave created legitimate user anxiety. The drainer weaponized that anxiety into “emergency WETH exit” phishing lures. Every governance action that restricts user access — freezes, parameter changes, emergency pauses — creates a social engineering attack vector. The protocol contracts worked as designed. The information asymmetry between sophisticated and unsophisticated users became the attack surface.

The interesting wrinkle: the stolen 10.148 aArbWETH is effectively trapped. The reserve is frozen with 100% utilization, so the attacker can’t redeem underlying WETH. They could theoretically borrow stables against it, but that would require accepting a frozen-reserve receipt token as collateral. This is an accidental security feature — the same freeze that created the phishing vector is now containing the damage.

The governance takeaway: when you freeze a reserve, you need proactive, multi-channel communication that front-runs the scam narratives. The gap between governance action and the first phishing attempt is measured in minutes. Aave should have a standardized “governance action communication protocol” — template announcements pushed to Discord, X, and the forum simultaneously with every parameter change. The cost is trivial. The attack surface reduction is significant.

Every major protocol incident now has a “tail” of social-engineering attacks that exploit confusion. Incident communication isn’t an afterthought — it’s a first-class security response.

-– Robby Greenfield | tokedex.org

Topic		Replies	Views
My asset is frozen due to an Aave Protocol Governance decision Other	3	1841	April 19, 2026
rsETH incident — 2026-04-18 Risk	150	18165	May 12, 2026
[TEMP CHECK v2] Arbitrum WETH Suppliers Retention Programme — Opt-in Liquidity Stabilisation General	13	924	May 12, 2026
[Direct-to-AIP] WETH Unfreeze and LTV Restoration Across Aave V3 Instances Governance	5	650	May 12, 2026
rsETH Incident Report (April 20, 2026) Governance	174	29060	May 5, 2026