According to SlowMist alert, Eldel Finance suffers an attack with losses of about $350,000
The vulnerability stems from the price source latestAnswer() function reading the ERC4626 vault convertToAssets(), while the vault totalAssets() directly uses the underlying asset balance. The attacker manipulated the price by directly transferring donated assets.
The attacker used a flash loan combined with a donation attack to steal about $350,000 from the Aave Pool and some reserves. The attacker's address is 0x58428161bb55c14a413945f06cbdec157f411c76.
Source: Public information
ABAB AI Insight
SlowMist has previously disclosed similar DeFi vulnerabilities. The Eldel Finance incident continues the common manipulation risks associated with ERC4626 vaults and oracle integration, highly resembling recent cases of donation attacks.
In terms of capital pathways, the attacker leveraged low-cost price manipulation through flash loans, motivated by the rapid extraction of liquidity pool funds, exposing security gaps in DeFi protocols regarding price feed design.
Similar to past attacks on protocols like Curve and Balancer due to similar mechanisms, the DeFi lending and vault sector is currently undergoing a transformation phase of strengthening audits on oracle and asset conversion logic.
Essentially, this reflects a shift in technical alternatives or regulatory changes. The simplified design of directly reading balances in totalAssets() under the ERC4626 standard was exploited by attackers, accelerating capital concentration towards protocols with robust oracles and anti-donation mechanisms, reshaping DeFi security standards and capital flows.
ABAB News · Cognitive Law
When the price source reads the vault balance, donation attacks serve as low-cost price manipulation leverage. The flash loan + donation combination means DeFi security is always one step behind attackers. Simplified designs bring efficiency but also structural risks that can be directly exploited.