Almost $27 million worth of liquidations were triggered on DeFi lending giant Aave yesterday, thanks to a faulty price cap oracle update.

The Correlated Asset Price Oracle (CAPO), run by risk manager Chaos Labs, sets caps for the price ratio between correlated assets, in order to protect against price manipulation attacks on the protocol.

In a post to the Aave governance forum, Chaos Labs explained that, due to a timestamp mismatch, the price ratio between wstETH and stETH was capped below the current market rate, causing a price drop of 2.85%.

This was enough to liquidate those positions close enough to the liquidation threshold.

The company’s dashboard (filtered for wstETH) shows $21.2 million of liquidations on Aave’s Ethereum Core instance, and a further $5.7 million on its Prime instance.

Chaos Labs’ founder, Omer Goldberg, promised that “all affected users will be fully reimbursed.” He says that, since launching over a year ago, its oracles “have streamed over 1,200 payloads for ~3k+ parameters, with zero incidents.”

While the protocol didn’t suffer bad debt, liquidators profited approximately 500 ether (ETH) worth $875,000. Around 30% of this (154 ETH) was recovered, and will be used to reimburse users, with the remainder coming from the Aave treasury.

A similar pricing error resulted in $1.8 million of bad debt DeFi protocol Moonwell last month.

In an AI-coauthored update, the ratio between ETH and cbETH was used to price cbETH in dollars, liquidating borrowers whose collateral was suddenly worth $1.12 instead of around $2,200.

The damage for Aave may not have been too severe this time, but one blockchain security professional questioned why the changes aren’t run through a transaction simulation before going live, a simple sanity check which could prevent more serious losses, and even bad debt, in future.

Aave in crisis

The malfunction comes during a period of tumult for decentralized finance’s number one protocol.

Since December last year, the DAO and Aave Labs have been in dispute over who really controls Aave. The spat has seen DAO service providers accuse founder Stani Kulechov’s Aave Labs of playing dirty and pushing through plans for an upcoming v4 of the protocol.

Indeed, two key service providers have recently thrown in the towel.

Developer BGD Labs left last month over Labs’ snubbing of the wildly successful v3, in favor of the Labs-developed v4.

Shortly after, Marc Zeller’s ACI reached “breaking point” following the recent Aave Will Win vote, which swung narrowly in Labs’ favor.

