Slow Fog: Aurellion Labs contract was attacked by a reentrancy initialization attack, resulting in a loss of approximately 455,000 USDC

Slow Fog issued a security warning stating that Aurellion was attacked, resulting in a loss of approximately 455,003 USDC (about $455,000).

Analysis pointed out that the root of the vulnerability lies in the lack of effective protection in the initialize(address) function of the SafeOwnable Facet. Since the Diamond contract did not go through the initialize path when setting the owner, the _initialized version slot was not updated correctly, allowing the attacker to reinitialize the contract and override owner permissions.

Subsequently, the attacker called diamondCut to inject a malicious Facet and transferred the USDC assets of authorized users through the malicious pullERC20 function, ultimately completing the theft of funds.