The user attempted to purchase $50 million worth of AAVE in USDT through the Aave interface.
Given the unusually large size of the single order, the Aave interface, like most trading platforms, warned the user about significant slippage and required confirmation via a checkbox. The user confirmed the warning on their mobile device and proceeded with the swap, accepting the high slippage. This ultimately resulted in him receiving only 324 AAVE in return.
The transaction could not have proceeded without the user explicitly accepting the risk by checking the checkbox.
The CoW Swap routers worked as expected, and the integration was in line with standard industry practices. However, although the user was able to complete the swap, the end result was clearly far from optimal.
Such incidents do occur in DeFi, but the scale of this transaction was significantly larger than what we usually encounter in this area.
We sincerely sympathize with the user, will try to contact them, and will return $600,000 in fees earned from this transaction.
The main takeaway is that while DeFi should remain open and permissionless, allowing users to freely transact, the industry has the power to create additional safeguards to better protect users. Our team will explore ways to improve these security measures in the future.
To be more precise, the problem was not slippage, but rather that the user accepted a quote with a strong price impact, received a warning, and consciously agreed to proceed with the transaction. A more detailed technical analysis is available here.
Mev bot Titan Builder extracted $34 million worth of ETH from this transaction and immediately transferred these funds to Coinbase.
