LEGALAUDIT

Scam Watch

How can you recognize Fake Aave/Compound clone — backdoored lending?

TLDR

Clone protocol forks Aave/Compound, adds backdoor in price oracle or admin function. User deposits, dev exploits to drain pool. Examples: Swaprum ($3M, 'CertiK audited'), CompounderFinance ($10M). Indicators: (1) forked from Aave V2/V3 but...

How it works

Clone protocol forks Aave/Compound, adds backdoor in price oracle or admin function. User deposits, dev exploits to drain pool. Examples: Swaprum ($3M, 'CertiK audited'), CompounderFinance ($10M). Indicators: (1) forked from Aave V2/V3 but...

Red flags

  • Urgent pressure to click, pay, or share codes immediately.
  • A link or sender that does not match the official organization.
  • Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.

What to do

  1. 1Indicators: (1) forked from Aave V2/V3 but non standard oracle (centralised dev wallet sets price); (2) deployer has admin role on PriceOracle/Configurator without timelock; (3) frontend on cheap domain; (4) audit cited but unverifiable on auditor site; (5) TVL hockey sticks then drained.
  2. 2WHAT TO DO: use Aave/Compound/Spark/Morpho only on canonical domains.
  3. 3For forks, verify multi sig + timelock on every admin role via Etherscan.

Source

Aave-Security

Source reviewed by Mythos Forensic Team

https://docs.aave.com/security

FAQ

Is Fake Aave/Compound clone — backdoored lending a real scam pattern?

Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.

What are the first warning signs?

Urgent pressure to click, pay, or share codes immediately.; A link or sender that does not match the official organization.; Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.

What should I do first?

Indicators: (1) forked from Aave V2/V3 but non standard oracle (centralised dev wallet sets price); (2) deployer has admin role on PriceOracle/Configurator without timelock; (3) frontend on cheap domain; (4) audit cited but unverifiable on auditor site; (5) TVL hockey sticks then drained.; WHAT TO DO: use Aave/Compound/Spark/Morpho only on canonical domains.; For forks, verify multi sig + timelock on every admin role via Etherscan.

Can LegalAudit check my case?

Yes. Start a free chat and paste the message, link, sender, or payment details for triage.