Make aTokens not-transferable so hacker can't drain Aave Supplies

I wasn’t sure to on which category I have a create this topic so I created on Other category

TLDR: My wallet drained by a hacker and my Aave Polygon Supply USDT drained from my wallet because it’s transferable

Today I clicked a link on Prime Protocol Twitter account and my wallet drained. My wallet hadn’t have big funds stay available on my wallet. Almost my entire funds were on Aave. But after I signed the pishing signature my almost entire Aave supplies gone.

I created a ticket on Discord and one of the team member said aTokens are transferable. And hacker can withdraw my aTokens to any wallet and then withdraw it from the aave website to receive the normal Token.

I am not a crypto newbie. I’ve been in crypto from end of 2017. And I know there are always risks and when I use a Dapp I take the responsibility. If I use a smart contract and contract exploited it would be my responsibility.

But I think this issue is different. I trust Aave smart contracts and contract is working fine. But my funds are gone because aTokens are transferable. If aTokens were not transferable hacker couldn’t drain my Aave supply. And I think it’s security bug of the Aave. Why aTokens have to be transferable at the first place? I have my supply on Aave and if I want to transfer my funds to a new wallet, I would withdraw on Aave and can transfer normal tokens to new wallet and can supply again.

I believe making aTokens transferable leads a vulnerability to Aave user and it needs to fix for further accidents.

Those are TXs of my wallet drained

Sorry for your losses

Their transferability is what allowed a whole ecosystem to grow on top of AAVE, making them moar than just interest bearing token.

For exemple it boost the yield of some token while they sits idle in curve pool without the needs for anybody to write additional code, I could also speak about APWine that allow you to edge yourself on yield variation (also transferable, leading to additional bricks on top of it).

Also I am not denying your point, just trying to nuance it ^^

finaly I believe it could fit in “risk” categories (?)