I wasn’t sure to on which category I have a create this topic so I created on Other category
TLDR: My wallet drained by a hacker and my Aave Polygon Supply USDT drained from my wallet because it’s transferable
Today I clicked a link on Prime Protocol Twitter account and my wallet drained. My wallet hadn’t have big funds stay available on my wallet. Almost my entire funds were on Aave. But after I signed the pishing signature my almost entire Aave supplies gone.
I created a ticket on Discord and one of the team member said aTokens are transferable. And hacker can withdraw my aTokens to any wallet and then withdraw it from the aave website to receive the normal Token.
I am not a crypto newbie. I’ve been in crypto from end of 2017. And I know there are always risks and when I use a Dapp I take the responsibility. If I use a smart contract and contract exploited it would be my responsibility.
But I think this issue is different. I trust Aave smart contracts and contract is working fine. But my funds are gone because aTokens are transferable. If aTokens were not transferable hacker couldn’t drain my Aave supply. And I think it’s security bug of the Aave. Why aTokens have to be transferable at the first place? I have my supply on Aave and if I want to transfer my funds to a new wallet, I would withdraw on Aave and can transfer normal tokens to new wallet and can supply again.
I believe making aTokens transferable leads a vulnerability to Aave user and it needs to fix for further accidents.
Those are TXs of my wallet drained