The guardian has become the reaper. An internal configuration error caused the largest DeFi lending protocol to mistakenly harm 34 accounts.
Written by: Sanqing, Foresight News
In the early hours of March 11, the decentralized lending protocol Aave experienced a rare and unusual liquidation. There was no market crash or external attack, but approximately $27 million in lending positions were forcibly liquidated within hours, and 34 accounts, totaling approximately 10,938 wstETH, were "harvested" by an on-chain liquidation bot.
Image source: CHAOS LABS Clearing Data Tracking
Aave's risk management partner, Chaos Labs, was the first to respond on X, with its CEO, Omer Goldberg, stating unequivocally: "No bad debts have been incurred, and all affected users will receive full compensation." Aave Labs founder Stani Kulechov subsequently also posted on X: "The Aave protocol itself remains unaffected."
The guardian has become the reaper.
Unlike most liquidation events, this one did not involve a market crash, external attacks, or distortion of price feed data. Aave's risk management partner, Chaos Labs, later clarified the facts in a post-mortem report published on the Governance Forum.
The underlying oracle's quotes were perfectly accurate. The real culprit was an internal security module called CAPO (Capped Asset Price Oracle). This was a mechanism specifically designed to prevent price manipulation, but in this case, it unexpectedly became a liquidation trigger for users while acting as a "guardian."
When dealing with yield-generating tokens like wstETH that continuously accumulate staking rewards, Aave sets a price growth cap to prevent people from artificially inflating the token exchange rate to artificially increase the valuation of collateral.
CAPO relies on two parameters working together: snapshotRatio (a snapshot exchange rate, subject to on-chain hard constraints, with a maximum increase of 3% every 3 days) and snapshotTimestamp (a snapshot timestamp, without equal rate limits). These two should be updated synchronously; if they are out of sync, the calculated "maximum allowed exchange rate" will deviate from the true market price.
This misalignment occurred precisely in this way. The system attempted to update the snapshot exchange rate from approximately 1.1572 to the target value of 1.2282, but due to rate constraints, it could only proceed to 1.1919; meanwhile, the timestamp jumped directly to the anchor point corresponding to 7 days prior without any hindrance.
The two parameters are updated independently and are not aligned with each other, resulting in CAPO's final calculated maximum allowed exchange rate for wstETH being approximately 1.1939, which is about 2.85% lower than the actual market price.
Image source: Chaos Labs Governance Forum Post-Mortem
In a normal position, a deviation of 2.85% might just be noise; however, in Aave's E-Mode (high-efficiency mode), users can borrow and lend at a leverage ratio far higher than in the normal mode, making the position extremely sensitive to price deviations.
The protocol's systematic undervaluation of wstETH pushed a batch of positions that were above the safety threshold past the liquidation line, and the on-chain bots did the rest.
In terms of profit flow, liquidators received approximately 116 ETH as normal liquidation rewards; another approximately 382 ETH came from arbitrageurs profiting from the arbitrage difference between the protocol's undervalued price and the market's true price.
A total of approximately 499 ETH (equivalent to about $1.27 million) flowed out of the affected users' positions. The outcome at the protocol level was clean and decisive: zero bad debts, the liquidity pool remained unscathed, and the entire loss only affected the addresses of 34 users whose accounts were liquidated.
Chaos Labs: We will compensate you in full.
The company most directly affected by the incident was actually the risk management firm, Chaos Labs. CEO Omer Goldberg stated explicitly on X: "Every affected user will receive a full refund." He also acknowledged that the configuration error with the risk oracle, as a core infrastructure of the protocol, was a serious lesson, and the team will conduct a comprehensive review of the parameter update process.
Image source: Omer Goldberg tweet
In terms of compensation execution, Chaos Labs has recovered approximately 141.5 ETH through BuilderNet. Combined with additional funds from the Aave DAO treasury, the compensation cap is expected to be approximately 345 ETH (about $870,000) to cover all affected accounts.
During the emergency response phase, the team first temporarily reduced the wstETH borrowing limit for the affected instances (Core and Prime) to 1, manually realigned the two snapshot parameters through the Risk Steward mechanism, and restored the borrowing limit to its original value (Core: 180,000, Prime: 70,000) after the repair was completed.
The oracle problem is not a new topic.
This isn't the first time the DeFi world has been devastated by oracle issues. Just recently (February 18th), the lending protocol Moonwell, due to an oracle misconfiguration, briefly priced cbETH at approximately $1 (market price around $2200), ultimately resulting in nearly $1.8 million in bad debt. Earlier incidents like the Mango Markets manipulation and the Euler Finance vulnerability have also left lessons worth hundreds of millions of dollars.
However, this Aave incident is unique. The cause of the error was not external data, but rather the security layer built within the protocol itself specifically to combat manipulation. Under certain conditions, this "shield" has become a dangerous blade.
"Code is Law" is the tenet of decentralized finance. The automated execution of smart contracts eliminates the space for human intervention, but it also means that a mismatch in every line of parameters may complete an irreversible operation without the user's knowledge.
Chaos Labs' compensation commitment may mend the cracks at the economic level, but a more fundamental fix must occur at the engineering level. This includes parameter update verification, consistency checks on on-chain constraints, and a real-time monitoring mechanism that can issue alerts before errors occur.
