HypurrFi has disclosed a "rounding error" vulnerability in an early version of Aave V3 and has suspended new borrowing and lending on the XAUT0 and UBTC markets.

Svmuu News: HypurrFi, HyperEVM’s native non-custodial lending protocol, posted on X stating that versions of Aave V3 prior to 3.5 contain a “rounding error” vulnerability. Under specific conditions, attackers can exploit this vulnerability to extract underlying tokens by repeatedly executing supply/withdrawal and borrowing/repayment cycles. The affected markets are XAUT0 and UBTC within HypurrFi Pooled. User funds are currently not at risk. To ensure security, new supply and borrowing operations in the relevant markets have been suspended, while withdrawal and repayment functions remain operational. All other markets are operating normally. HypurrFi added that the issue was quickly detected on-chain via its internal monitoring system, and the affected markets were promptly frozen. The team is currently collaborating with other Aave deployments and security researchers to address the issue, and has invited other Aave fork projects to contact them for further security information.