Suspicious transactions during Aave borrowing


it seems there is a suspicious transaction, which moved some of the aEthWETH (created during borrowing at Aave) from my account to a different account. Is this something Aave related?

Transaction hash: 0x09f8446f2cd2bbd5ed12edddc8d38988d7e9fd5f3ffdb86e1c0d113ce106b28d

Thanks for looking into it.




You got somehow scammed and your funds moved to a Phishing wallet. Not related to Aave, it must be something else you may have signed before or a malicious link.

Hi EzR3eal,

thanks for responding!

The Aave webiste i was using is The only other website website i connected the Metamask wallet (with cold wallet assigned) recently is the (likely a fake NFT drop, phishing attack), in order to approve the website to connect to the wallet (pic below). The access to the private keys is not possible wo the cold wallet seed phrase which i share with no one.

Have a couple of questions:

  1. How is it possible for the attacker to move the collateral created through Aave smart contracts?
    (ETH β†’ aETHwETH)? For the transaction at hand i was not online at the time, so unlikely i approved the transaction form the smart contract related to transaction: 0x1df7B652d428557044Cc15E22b7A6508E21caDa4

  2. Is it possible for the attacker to convert aETHwETH β†’ ETH? How would they do that?


Thanks for helping me understand!



Well it’s obviously a scam that drained your wallet. Etherscan is already flagging it.

You simply approved a contract to get access to your funds, if you would have used rabby this could have been prevented. As rabby simulates a transaction upfront.
And aETHwETH is just an asset, so if there is liquidity it can be exchanged to ETH.

1 Like


Thanks for the tip on Rabby - ill look into it.
Is the approaval transaction also recorded on the network? How can i check it?

What was interesting is that there were other coins on the account, however none of those were touched, very likely because the approval contract is related only to collateral used on Aave, e.g. aETHwETH. This suggests to me that the attackers vector of attack is focused around the way that Aave borrowing works.

One other recent example i managed to find here:

Every transaction is written on the Blockchain.