This repository contains a sanitized incident report about a Base Aave V3 Pool behavior that can brick non-upgradeable helper contracts that rely on:
Pool.repay(asset, type(uint256).max, rateMode, onBehalfOf)
when the caller is a third-party contract and onBehalfOf != msg.sender.
docs/incidents/INCIDENT.md– summary + root cause (no operational secrets)docs/incidents/EVIDENCE.json– on-chain helper balance + revert selector + static-call proof (redacted owner address)docs/incidents/AAVE_MESSAGE.md– copy/paste message for Aave governance forum + Discord
- No private keys, RPC keys,
.env - No step-by-step salvage playbooks from compromised wallets
- No additional scripts beyond read-only proof