Breaking News! The largest DeFi lending protocol Aave experiences a midnight "explosion," with $27 million precisely exploited. Is your position safe?

On March 11th in the early morning, $Aave experienced an atypical liquidation event. There was no market volatility or external attack, but approximately $27 million worth of lending positions were forcibly liquidated within a few hours. A total of 34 user addresses, holding about 10,938 $wstETH, were fully processed by on-chain liquidation bots.

The risk management partner responded first on social media, with its CEO clearly stating that the protocol did not incur any bad debt, and all affected users would be fully compensated. The founder of $Aave also confirmed that the protocol’s liquidity pool remained intact.

What made this event unusual was that the trigger for liquidation was not a common oracle price feed distortion. According to a detailed post-incident report, the root cause was an internal security module called CAPO. This module was originally designed to prevent manipulation of prices to artificially inflate collateral value, setting a cap on the price growth rate for tokens like $wstETH that generate staking yields.

CAPO relies on two key parameters working together: a snapshot exchange rate constrained by on-chain rules, and a timestamp snapshot that is not rate-limited. These two should update synchronously, but in this case, there was a mismatch. The snapshot exchange rate failed to update due to rule restrictions, while the timestamp jumped back to an earlier anchor point.

This mismatch caused the system to calculate a maximum permissible price for $wstETH that was about 2.85% lower than the actual market price. For leveraged positions operating at high efficiency, this 2.85% systemic underestimation was enough to push some positions that were just above the liquidation threshold into liquidation.

Analyzing profit flows, liquidators received approximately 116 ETH as normal rewards. Additionally, about 382 ETH in profit was generated from arbitrageurs exploiting the discrepancy between the protocol’s undervalued price and the market price. In total, roughly 499 ETH, worth about $1.27 million at the time, flowed out from affected user positions.

The risk management team’s response was straightforward. Its CEO publicly committed to full compensation and acknowledged that this configuration error was a serious lesson. Part of the compensation funds came from recovering about 141.5 ETH, with the rest supplemented from the protocol treasury, with an estimated total payout cap of around 345 ETH.

Technically, the team quickly lowered the borrowing cap for $wstETH in the affected markets to 1, and manually corrected the mismatched parameters via the risk administrator mechanism, then restored the original borrowing limits.

Oracle-related issues are not new in DeFi. On February 18 of this year, another lending protocol experienced a temporary mispricing of $cbETH, which was marked at $1, resulting in nearly $1.8 million in bad debt. Historically, there have been cases where oracle failures caused losses of hundreds of millions of dollars.

However, what sets this $Aave incident apart is that the error did not originate from an external data source. Instead, it stemmed from a security layer built into the protocol for defense. This “shield” meant to protect users turned into a “blade” executing liquidations when certain parameters mismatched.

“Code is law” is a core principle of DeFi, eliminating human intervention but also meaning that any mistake in code or parameters can be automatically executed and irreversible. Compensation at the economic level can repair user losses, but deeper fixes require engineering improvements: validation mechanisms for parameter updates, on-chain consistency checks, and real-time monitoring systems capable of early warning.

Follow me for more real-time analysis and insights into the crypto market! $BTC $ETH $SOL

#GateAI Blue Lobster Launch