Code doesn't lie. But it can overflow.
At block 18,912,304, I spotted it. A silent integer overflow in NovaLend's newly deployed V3 lending pool contract. The vulnerability sits in the repay() function's interest calculation path. Unchecked. Unbounded. A $4.2 million liquidity bomb waiting for a single malicious transaction.
I pulled the contract bytecode at 04:32 UTC this morning. By 05:14, I had isolated the arithmetic underflow in line 142 of the InterestRateModel.sol. No audit trail. No bug bounty submission. Just raw math.
Context: Why Now?
NovaLend launched V3 just six days ago. The bull market narrative is hot—TVL exploded from $200M to $1.3B in 72 hours. Yield farmers are piling in. APR is 45% on USDC deposits. The team, backed by a $50M VC round in Q1, promised 'battle-tested' code. They borrowed from Compound's model but added a custom 'dynamic rate floor' to attract liquidity.

But they forgot one thing: overflow doesn't need a complex exploit. It just needs a number that crosses uint256 max. In their new rate formula—rate = baseRate + (utilization 0 slope can wrap silently if utilization exceeds 1e18. In a bull market, utilization above 100% is impossible, right? Not if an attacker manipulates the total borrowed supply via flash loans to artificially inflate utilization before calling repay().
Surveillance is not just watching the price. It's anticipating the break before it happens.
Core: The Technical Breakdown
Here's the exploit path. I'll keep it concise.
- Attacker flash loans 200,000 ETH from Aave. Pushes into NovaLend's V3 ETH market. Total borrowed jumps to 150% utilization.
- The
updateRate()recalculates.utilization = totalBorrows / totalDeposits. With flash loan manipulation,utilizationnow reads as 1.5e18 (150% in scaled). - The vulnerable line:
rate = baseRate + (utilization 1 0.2e18 = 0.3e36. Butuint256max is ~1.15e77? Wait—that's a huge range. Actually, the overflow is not in the multiplication; it's in the addition after scaling. Let me correct.
The real bug: The rate variable is stored as a uint64 for gas optimization. After multiplication and division, the result is cast to uint64. When normalized to a small decimal precision (18 decimals), a normal rate like 10% APR becomes 0.1e18. But if utilization hits exactly the right value—say, 1.2e18—the computed rate exceeds uint64 max (~1.84e19). The cast wraps it to a tiny number near zero.
Consequence: repay() uses this near-zero rate to calculate interest deduction. A borrower can repay their entire debt for a fraction of the owed interest. The protocol's accounting goes negative. Attacker walks away with ~$4.2M in locked liquidity.
I have verified this on a local fork. The exploit is reproducible in under 10 steps. Code is in my private repo.
Contrarian: The Market Is Not Ready for This
The common narrative: 'Audits catch overflows in major protocols.' But NovaLend V3 was audited by three firms—CertiK, Trail of Bits, and Code4rena. All missed the uint64 truncation because it was hidden behind a modifier that clamps rate to a maximum of 50% APR. The clamp only fires on the post-computed rate. The overflow before the clamp remains unchecked.
A red candle doesn't start the fire. It just lights the match.
Yield is the bait; liquidity is the trap.
Investors are piling into NovaLend for high yields. They don't see the code. They see the APR. They trust the audits. But audit checklists are only as good as the assumptions they test. No auditor tested flash loan inflation of utilization beyond 100% because it's considered 'impossible in practice.' But in DeFi, impossible is just an unexecuted exploit.
Smart money is already rotating out. I've observed a 12% drop in NovaLend TVL in the past 4 hours. Whales are moving their USDC to Aave. They're not speaking. They're acting.
Takeaway: The Next Watch
I am not publishing the full exploit code. But I have notified the NovaLend team via their security contact. They have 48 hours before I release a guarded proof-of-concept to my private subscribers.
If you hold deposits in NovaLend V3, withdraw now. The opportunity cost of missing a few days of yield is nothing compared to losing principal.
Arbitrage is the market's only honest price mechanism. The arbitrage here is between yield illusion and code reality. Don't fight the tide. Watch for the next block where utilization spikes above 100%. That will be the signal that the attack is starting.
My DMs are open for team members who want the raw data.
Yield is the bait. Liquidity is the trap. I've shown you the hook.