Date: January 30, 2026
Network: Base
Status: Aerodrome Lend is currently paused (new deposits/borrows disabled)

On January 29, 2026 we announced support for Aerodrome concentrated liquidity positions on Base:
https://paragraph.com/@revertfinance/revert-lend-now-supports-aerodrome-on-base

A few hours later, we received and verified a report of an exploit affecting the newly deployed Aerodrome Lend vault. We immediately disabled new deposits and new borrows via our emergency multisig and communicated the pause publicly:
https://x.com/revertfinance/status/2017087480772600157

• All user funds are safe.

• The USDC in the affected vault was 100% Revert team capital (no third‑party user deposits were in the pool at the time).

• Only the Aerodrome Lend vault on Base was affected. No other Revert vaults/products were impacted.

• This deployment had three independent audits (Cantina, PeckShield, HYDN). We are implementing fixes and will not re‑enable Aerodrome Lend without additional independent review/audit of the changes.

• Loss: ~50,101.744193 USDC (protocol‑owned / Revert team funds)

• User impact: none (no user funds in the affected pool)

• Affected component: Aerodrome Lend vault integration (Base)

A second exploit transaction occurred ~58 minutes after the first, from a different address.

• Jan 29, 2026: Aerodrome support announced (launch post linked above)

• Jan 30, 2026 ~02:31: Exploit transaction #1

• Jan 30, 2026 ~03:29: Exploit transaction #2

• Shortly after verification: New deposits and borrows disabled via emergency multisig; Aerodrome Lend paused

• Jan 30, 2026 14:14:21: Onchain recovery outreach sent to the address thatcontrol the exploited funds.

Aerodrome Lend allows Aerodrome Slipstream concentrated liquidity positions (NFTs) to be used as collateral in a lending vault, while optionally being staked for gauge rewards and autocompounding.

This incident was caused by an end‑to‑end invariant gap across multiple contracts involved in that flow.

The staking/automation layer (used to stake positions and execute position-management operations) included a pathway that allowed the position owner to execute operations that could materially change the position, even when that position was flagged as a vault-collateralized position.

In short, the attacker was able to withdraw liquidity from a collateralized (and staked) LP position while leaving the vault with an NFT that still existed but no longer represented the expected collateral value for the outstanding loan.

1. Flash‑loan funds were used to mint an Aerodrome Slipstream LP position (NFT).

2. The attacker deposited the NFT into the Aerodrome Lend vault as collateral.

3. The attacker borrowed USDC against that collateral.

4. The position was staked through the vault’s staking/manager flow.

5. The attacker used a GaugeManager execution path (via a utility contract) that temporarily unstakes the NFT and executes position‑management instructions.

6. That execution path did not enforce the constraints required for positions backing active debt, allowing liquidity to be withdrawn and routed to the attacker.

7. The flash loan was repaid and the borrowed USDC became profit.

The root cause was a missing safety constraint in the staking/management layer: a collateralized position with active debt could still be modified through an execution path in a way that reduced its collateral value without the vault preventing the action at the time it happened.

• Verified the report and confirmed the issue onchain.

• Disabled new deposits and new borrows for the Aerodrome Lend vault via emergency multisig.

• Communicated the pause publicly and began remediation.

Aerodrome Lend will remain paused while we:

• implement fixes to ensure collateralized positions cannot be modified in ways that break collateral backing,

• complete additional internal review and testing of the Aerodrome integration and surrounding flows,

• commission additional independent security review/audit specifically focused on the incident root cause and the final remediation.

We will publish follow‑up updates as we complete these steps. Aerodrome Lend will not be re‑enabled until the fixes are deployed and the additional independent review/audit is complete.

Prior to launch, the Revert Lend deployment and supporting components underwent three independent audits/reviews:

• Cantina:
  https://cantina.xyz/portfolio/cfb5a6a0-0061-4f14-ab5a-195ed6b7816d

• PeckShield:
  https://github.com/peckshield/publications/blob/master/audit_reports/PeckShield-Audit-Report-Revert-v4Utils-v1.0.pdf

• HYDN:
  https://github.com/hydnsec/audits/blob/main/Revert%20Finance%20-%20Lend/HYDN%20-%20Revert%20Finance%20Lend%20-%20aero%20-%20Audit.pdf

Audits reduce risk, but they are not a guarantee. We take responsibility for this incident and are adding additional review/audit before re‑enabling Aerodrome Lend.

After the incident, HYDN Security proactively reached out and assisted our team during incident response and remediation planning.

Thank you to the reporter who raised the issue quickly. If you believe you have found a vulnerability, please disclose it responsibly via the security contact listed in our documentation.

Date: January 30, 2026
Network: Base
Status: Aerodrome Lend is currently paused (new deposits/borrows disabled)

On January 29, 2026 we announced support for Aerodrome concentrated liquidity positions on Base:
https://paragraph.com/@revertfinance/revert-lend-now-supports-aerodrome-on-base

A few hours later, we received and verified a report of an exploit affecting the newly deployed Aerodrome Lend vault. We immediately disabled new deposits and new borrows via our emergency multisig and communicated the pause publicly:
https://x.com/revertfinance/status/2017087480772600157

• All user funds are safe.

• The USDC in the affected vault was 100% Revert team capital (no third‑party user deposits were in the pool at the time).

• Only the Aerodrome Lend vault on Base was affected. No other Revert vaults/products were impacted.

• This deployment had three independent audits (Cantina, PeckShield, HYDN). We are implementing fixes and will not re‑enable Aerodrome Lend without additional independent review/audit of the changes.

• Loss: ~50,101.744193 USDC (protocol‑owned / Revert team funds)

• User impact: none (no user funds in the affected pool)

• Affected component: Aerodrome Lend vault integration (Base)

A second exploit transaction occurred ~58 minutes after the first, from a different address.

• Jan 29, 2026: Aerodrome support announced (launch post linked above)

• Jan 30, 2026 ~02:31: Exploit transaction #1

• Jan 30, 2026 ~03:29: Exploit transaction #2

• Shortly after verification: New deposits and borrows disabled via emergency multisig; Aerodrome Lend paused

• Jan 30, 2026 14:14:21: Onchain recovery outreach sent to the address thatcontrol the exploited funds.

Aerodrome Lend allows Aerodrome Slipstream concentrated liquidity positions (NFTs) to be used as collateral in a lending vault, while optionally being staked for gauge rewards and autocompounding.

This incident was caused by an end‑to‑end invariant gap across multiple contracts involved in that flow.

The staking/automation layer (used to stake positions and execute position-management operations) included a pathway that allowed the position owner to execute operations that could materially change the position, even when that position was flagged as a vault-collateralized position.

In short, the attacker was able to withdraw liquidity from a collateralized (and staked) LP position while leaving the vault with an NFT that still existed but no longer represented the expected collateral value for the outstanding loan.

1. Flash‑loan funds were used to mint an Aerodrome Slipstream LP position (NFT).

2. The attacker deposited the NFT into the Aerodrome Lend vault as collateral.

3. The attacker borrowed USDC against that collateral.

4. The position was staked through the vault’s staking/manager flow.

5. The attacker used a GaugeManager execution path (via a utility contract) that temporarily unstakes the NFT and executes position‑management instructions.

6. That execution path did not enforce the constraints required for positions backing active debt, allowing liquidity to be withdrawn and routed to the attacker.

7. The flash loan was repaid and the borrowed USDC became profit.

The root cause was a missing safety constraint in the staking/management layer: a collateralized position with active debt could still be modified through an execution path in a way that reduced its collateral value without the vault preventing the action at the time it happened.

• Verified the report and confirmed the issue onchain.

• Disabled new deposits and new borrows for the Aerodrome Lend vault via emergency multisig.

• Communicated the pause publicly and began remediation.

Aerodrome Lend will remain paused while we:

• implement fixes to ensure collateralized positions cannot be modified in ways that break collateral backing,

• complete additional internal review and testing of the Aerodrome integration and surrounding flows,

• commission additional independent security review/audit specifically focused on the incident root cause and the final remediation.

We will publish follow‑up updates as we complete these steps. Aerodrome Lend will not be re‑enabled until the fixes are deployed and the additional independent review/audit is complete.

Prior to launch, the Revert Lend deployment and supporting components underwent three independent audits/reviews:

• Cantina:
  https://cantina.xyz/portfolio/cfb5a6a0-0061-4f14-ab5a-195ed6b7816d

• PeckShield:
  https://github.com/peckshield/publications/blob/master/audit_reports/PeckShield-Audit-Report-Revert-v4Utils-v1.0.pdf

• HYDN:
  https://github.com/hydnsec/audits/blob/main/Revert%20Finance%20-%20Lend/HYDN%20-%20Revert%20Finance%20Lend%20-%20aero%20-%20Audit.pdf

Audits reduce risk, but they are not a guarantee. We take responsibility for this incident and are adding additional review/audit before re‑enabling Aerodrome Lend.

After the incident, HYDN Security proactively reached out and assisted our team during incident response and remediation planning.

Thank you to the reporter who raised the issue quickly. If you believe you have found a vulnerability, please disclose it responsibly via the security contact listed in our documentation.