[ad_1]
A misconfiguration on Aave’s CAPO oracle caused E-Mode liquidations worth 10,938 wstETH, resulting in a loss of 345 ETH. The error affected more than 30 user accounts, but Aave incurred no bad debt according to Chaos Labs CEO Omer Goldberg.
Traders have suffered massive liquidations totaling $27 million after Aave’s Correlated Asset Price Oracle (CAPO) risk oracle experienced a technical glitch, causing the wstETH/stETH exchange rate cap to fall below the current market exchange rate.
The error caused the exchange rate to drop by 2.85% triggering roughly 10,938 wstETH in E-Mode liquidations across 34 user accounts.
Affected users will be fully reimbursed, Chaos Labs founder Omer Goldberg says
Omer Goldberg, Founder of Chaos Labs, wrote on X that the incident had no impact on the Aave protocol and that all affected users will be fully compensated. He also added that the team was working on a permanent solution to prevent the incident from recurring.
1/ stETH CAPO Misconfiguration
Today, a misconfiguration on Aave’s CAPO oracle caused wstETH E-Mode liquidations, resulting in a loss of 345 ETH.
No bad debt was incurred, and all affected users will be fully reimbursed.
More below.
— Omer Goldberg (@omeragoldberg) March 10, 2026
During the incident, liquidator bots tapped 499 ETH in liquidation bonuses and in value realized through the exchange rate mispricing event.
According to a publication from Chaos Labs (onchain security and risk management partner of Aave), the protocol recovered 141 ETH from liquidation bonus revenue on Buildernet refunds, as well as 13 ETH in liquidation fees.
The publication highlighted that the protocol will use the recovered funds, along with additional funds from the protocol’s DAO treasury, to reimburse affected users who were liquidated due to the error.
The security platform said the differing update constraints at the smart contract level were the probable cause of the mispricing event, which ultimately led to a misalignment between the onchain snapshot timestamp and snapshot ratio.
Chaos Labs said an off-chain mechanism tried to modify the snapshot ratio to about 1,2282. However, an onchain safety constraint prevented the snapshot ratio from exceeding the 3% threshold per 72-hour period.
The snapshot timestamp was not validated against that constrained update path, which still reflected a 7-day-old reference point. Since the adjustment could not occur automatically, the discrepancy created an inconsistent configuration, causing CAPO to compute a maximum allowed exchange rate approximately 1.1939 below the live rate of roughly 1.228.
Aave erroneously priced wstETH at about 2.85% below its market price, causing multiple borrowing positions to breach their minimum collateralization requirements. According to Chaos Labs, the Aave protocol itself did not accrue bad debt from the mispricing incident.
Following the incident, Chaos Labs temporarily reduced the wstETH borrow cap to 1 on Aave Core and Aave Prime to reduce additional exposure and prevent further liquidations. The security platform said it also aligned “the snapshot ratio parameter with the current snapshot timestamp reference window through manual Risk Steward intervention” to re-synchronize the configured onchain parameters back to normal.
Aave drops 1.6% over the past 24 hours
AAVE is down 1.6% in the last 24 hours, adding to its seven-day loss of 3.84% according to data from CoinMarketCap. The crypto asset is currently trading at $110.11 and has been trading between $130.67 and $95.11 since early February.
The occurrence has raised questions about whether a third party can force the system to relapse again, and whether the flaw was a design problem or a legitimate system issue.
Cryptopolitan recently reported that HypurrFi, a lending market on Hyperliquid’s HyperEVM, discovered a rounding bug in the Aave V3 core code before version 3.5.
The discovery prompted a temporary halt to deposits and borrowing requests across affected markets to prevent exploitation by malicious actors. The discovery surfaced shortly after the protocol announced the success of its V4 upgrade in a comprehensive security report detailing a year-long review process conducted from March 2025 to February 2026.
[ad_2]
Source link