Aurellion Labs suffered a smart-contract exploit on Arbitrum after an unverified EIP-2535 Diamond proxy was abused through an initialization flaw, according to alerts from security researchers.
Blockaid warned that the exploit hit an unverified Diamond proxy on Arbitrum and estimated the loss at about $456,000. The firm tied the incident to an uninitialized Diamond setup and an unprotected initialize() function, a class of proxy-risk that can let an attacker seize control paths that should have been locked during deployment.
SlowMist later placed the loss at 455,003 USDC and gave a more detailed root-cause read. Its alert said the vulnerable path involved an unprotected initialize(address) function in the SafeOwnable Facet. According to SlowMist-linked reporting, the attacker reentered the initialization flow, tampered with the contract owner, then used diamondCut to inject a malicious Facet containing pullERC20, allowing authorized USDC assets to be transferred out.
The incident is narrow in technical terms but serious in security impact. A Diamond proxy lets developers split protocol logic across multiple facets while keeping a shared contract address. That modularity is useful for complex DeFi systems, but ownership and initialization controls become critical. If the initialization path can be reused or reached through an unintended route, the proxy can become a control surface rather than a protection layer.
Aurellion Labs posted a public response after the security alerts, placing the next focus on whether the team confirms the full affected contract set, user impact, recovery path, and any remediation for approvals or exposed funds. At publication time, the clearest technical findings come from Blockaid and SlowMist, while a full postmortem from the project remains the key missing document.
The attack fits a broader pattern across recent DeFi incidents. Exploiters are increasingly targeting control paths, upgrade surfaces, approval flows, and misconfigured proxy logic rather than only obvious arithmetic or swap-pricing bugs. A recent Arbitrum incident around Renegade’s dark pool exploit also involved an unprotected initializer, while a wider Ethereum smart-contract attack wave showed how access-control gaps can turn small contract assumptions into real losses.
For users, the immediate question is not whether Arbitrum itself was compromised. The issue appears tied to Aurellion’s contract logic and authorization path. That distinction matters because Layer 2 infrastructure can keep operating normally while a single application-level contract remains vulnerable.
The concrete damage is already measurable: about 455,000 USDC left through a proxy-control failure flagged by two security firms. Aurellion’s next update needs to settle the operational questions that matter most for users, including whether any approvals should be revoked, whether remaining contracts are paused or patched, and whether recovery talks, compensation, or a full technical postmortem will follow.
The post Aurellion Labs Exploit Drains $456K After Diamond Proxy Initialization Flaw appeared first on Crypto Adventure.
