A decentralized finance user suffered losses of $50.4 million after swapping aEthUSDT for aEthAAVE via a CoW Swap widget on the Aave protocol, ultimately receiving just $36,000 in return. This event has drawn attention across DeFi circles, given the scale of the loss and the interplay of technical and human factors that led to the failed transaction.
Critical System Gaps And User Oversight
The trade took place on Aave, a leading DeFi lending and borrowing platform founded in 2017, which supports pooled assets and allows users to earn interest or borrow by collateralizing tokens. CoW Swap, an Ethereum-based decentralized exchange aggregator, facilitates trades by routing user orders through the most efficient liquidity sources using a novel solver competition mechanism.
The Aave user in question confirmed a warning of 99.9% price impact before proceeding with the swap. According to the protocol’s post-mortem, this alert was displayed clearly, but the user still authorized the action, which left their transaction exceptionally vulnerable to slippage and market manipulation.
CoW Swap’s own review of the event described two major technical faults. First, a legacy hardcoded gas ceiling rejected alternative quotes that could have routed the swap more safely and efficiently. Second, the protocol’s winning solver failed to complete the transaction on-chain, defaulting to less optimal liquidity routes.
How The Transaction Led To MEV Exploits
A suspected leak to the Ethereum mempool—where pending transactions wait to be mined—made this private swap publicly visible before finalization. This exposure allowed automated MEV (Maximal Extractable Value) bots to observe and manipulate the order.
Because of the chain of technical blockers, the swap was routed through a SushiSwap AAVE/WETH pool that held just $73,000 in liquidity, far below what was needed for a transaction of this scale. The trade size caused severe slippage, resulting in the massive loss for the user.
After spotting the transaction in the mempool, an MEV bot executed a sandwich attack: it bought AAVE ahead of the user’s trade, causing the price to spike, and then sold after the user’s transaction went through. This swift manipulation generated around $9.9 million in profits for the bot.
The bot coordinated with Titan Builder, a block-building service in the Ethereum ecosystem, to secure the timing and ordering of the relevant transactions. Titan Builder extracted approximately $34 million in ETH for enabling this sequencing, amplifying the total value siphoned from the event.
Both Aave and CoW Swap have responded. CoW Swap has adjusted its gas limits to enable more flexible and secure routing, while Aave is rolling out the “Aave Shield” upgrade, which will block swaps with price impacts exceeding 25% by default. Developers from both protocols have emphasized efforts to address system vulnerabilities exposed by this incident and aim to reduce the risk of similar losses for users in the future.
