This content is provided by a sponsor
December 16, 2025 – Web3 Antivirus has identified a DeFi incident that resulted in a loss of approximately $563,000 after a user unknowingly approved a malicious token permit while attempting to withdraw funds from Aave and Compound.
According to on-chain analysis by Web3 Antivirus, the affected wallet was created around 209 days prior to the incident and showed relatively limited activity, with just 22 transactions in total. Most of the wallet’s history consisted of deposits into well-known DeFi protocols, including Aave, Compound, and MakerDAO, suggesting routine yield-farming behavior rather than high-risk trading.
Roughly 131 days before the incident, the user deposited about $301,000 USDT into Aave, receiving aEthUSDT in return. Around 73 days later, the user deposited an additional $243,000 USDT into Compound, receiving Compound-issued USDT tokens.
The loss occurred when the user attempted to withdraw funds from these positions. On-chain data indicates that the user first tried to interact with Compound but encountered repeated transaction errors. The user then proceeded to Aave, where a malicious permit approval was granted to an attacker-controlled address. Shortly after the approval, the attacker drained the entire aEthUSDT balance, transferring assets worth approximately $563,778 to a single destination address.
Yield farming turned into a $563,778 loss.
— Web3 Antivirus (@web3_antivirus) December 15, 2025
One wrong approval and when the user unlocked, Aave + Compound funds went to the wrong address.
Slow down. pic.twitter.com/dn586eclBH
After the initial drain, the user continued interacting with Compound, approving tokens in what appears to have been a planned withdrawal flow. Only afterward did the user attempt to revoke permissions via a token approval management tool, but by that point the primary funds had already been stolen.
Based on the on-chain activity, the incident appears consistent with a phishing scenario in which a deceptive interface was used to capture a malicious approval.
“This case highlights how even experienced DeFi users can lose significant funds through a single malicious approval,” Web3 Antivirus said. “Yield-farming activity often involves repeated interactions across protocols, which makes phishing approvals particularly dangerous when users are focused on completing planned actions”.
The incident serves as a reminder that permit signatures and token approvals remain one of the most exploited attack vectors in DeFi, and that losses can occur even when private keys are not compromised.
Web3 Antivirus notes that incidents like this highlight the need for protection at both the user and platform level. For users, this means clear warnings before signing high-risk approvals. For wallets, exchanges, and DeFi platforms, it means monitoring transaction intent and approval behavior in real time to prevent malicious flows before funds move.
As phishing tactics increasingly target routine DeFi actions rather than private keys, pre-transaction detection is becoming a critical layer of defense across the ecosystem.
This publication is provided by the client. Cointelegraph does not endorse and is not responsible for or liable for any content, accuracy, quality, advertising, products, or other materials on this page. Readers should do their own research before taking any actions related to the company. Cointelegraph is not responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods, or services mentioned in the press release.
