Blast L2-based lending platform makes costly error, liquidating users for $26M

Pac Finance, a crypto lending platform on the Ethereum L2 Blast, made a costly error while updating its ezETH market parameters yesterday.

The resulting $26 million of liquidations, spotted by Parsec founder Will Sheehan, affected at least a dozen addresses, though the worst hit user lost the lion’s share, at $24 million.

Responding to Sheehan, the Pac Finance team explained that the bloodbath had been caused by human error; instead of adjusting the loan-to-value ratio (LTV) as planned, the liquidation threshold was changed ‘unexpectedly’ and ‘without prior notification to our team.’

Thank you for letting us know Will. We are aware of the issue and are in contact with the impacted users, actively developing a plan with them to mitigate the issue.

In our effort to adjust the LTV, we tasked a smart contract engineer to make the necessary changes. However, it…

— Pac Finance (@pac_finance) April 11, 2024

Read more: Critics decry Blast as the latest sketchy scheme on Ethereum

However, the team’s explanation only led to more questions. For example, in stating that the address that made the adjustment didn’t notify the team, it implies that a third party is able to make changes to key parameters.

Some questioned why a non-team member was able to make such important changes, as it remains unclear why Pac Finance didn’t use a multisig wallet or timelock. This led others to doubt the credibility of the platform altogether.

Points, yield, and forked code 

Blast was spun up following a controversial launch in November last year, promising ‘native yield’ on assets held on the Ethereum L2.

Following the announcement of the ‘points’ program, users quickly deposited hundreds of millions of dollars worth of ETH and stablecoins into the Blast ‘bridge,’ which was nothing more than a multisig account of anonymous signers.

Many projects rushed to capitalize on the captive TVL, ready for when Blast went live in February. However, the rush led to issues both at the protocol level and the trivial hacks affecting individual projects.

The chain has also come under scrutiny for the level of centralization, underlined in the recent response to the $62 million hack of NFT game Munchables, which was later returned.

Pac Finance is a ‘fork’ of Aave, the top lending protocol in the decentralized finance (DeFi) sector. Many teams copy the open-source code from successful DeFi projects, rapidly deploying it on new chains to pick up new users.

Aave founder Stani Kulechov remarked on the dangers of forking established projects when the details of the underlying code may be poorly understood.

Random Aave fork on Blast decreased Liquidation Threshold (LT) instead of Loan to Value (LTV) causing $26M worth of unnecessary liquidations.

Fundamental problem with forking code is the lack of in-depth knowledge of the software and the parameters. https://t.co/eTNBlNBoqg

— Stani^ (@StaniKulechov) April 12, 2024

Read more: Blast L2 hack prompts debate over centralization of Ethereum rollups

In contrast to Pac Finance, any changes to Aave’s parameters must pass protocol governance, voted on by token holders and scrutinized by risk management consultants. 

While the system is not without its faults, the checks and balances in place ensure costly mistakes such as Pac Finance’s $26 million blunder are spotted before being executed.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.