Aurellion Labs, a decentralized finance project on Arbitrum, lost approximately $455,003 USDC in a targeted smart contract attack on Tuesday, according to blockchain security firm SlowMist.
The incident highlights persistent risks in complex contract architectures like diamond proxies, even as the sector pushes for more sophisticated designs.
The attacker, operating from address 0x9f4…d5ca, exploited an unprotected initialize(address) function in the SafeOwnable Facet of the project’s diamond proxy contract at 0x0adc…f1b2.
According to SlowMist’s analysis, the contract allowed ownership to be set through a non-initialization path that failed to update the _initialized storage slot. This oversight left the door open for re-initialization.
Once in control, the attacker called diamondCut to inject a malicious facet containing a pullERC20 function. This enabled the rapid drainage of approved USDC tokens from multiple victim wallets.
The vulnerability underscores a common pitfall in Ethereum-based diamond architecture (EIP-2535), where initialization logic must be rigorously protected across all ownership assignment routes.
Security researchers have repeatedly warned that incomplete protection of initializer functions can lead to ownership hijacks, especially in proxy-based systems that rely on facets for modularity.
As of now, Aurellion Labs has not issued an official statement on the breach or confirmed any recovery efforts. The stolen funds, valued at roughly $455,000 at the time of the exploit, represent a significant hit for the project.
This latest incident adds to a growing list of DeFi exploits in 2026, where attackers continue to target subtle logic flaws rather than flashy code bugs.
This is a developing story and more information will be added as the event unfolds.
Also read: DOJ Indicts Tennessee Trio for Armed $6.5M Crypto Theft in California
