TL;DR
On March 10, 2026, a configuration mismatch in Aave's CAPO (Correlated Asset Price Oracle) caused wstETH to be undervalued by ~2.85%, triggering $27 million in wrongful liquidations across 34 high-leverage E-Mode positions. Liquidation bots pocketed ~499 ETH. Chaos Labs confirmed zero bad debt, and all affected users will be fully reimbursed through recovered funds and the Aave DAO treasury.
What Happened
About $27 million in borrower positions were liquidated on Aave over 24 hours on March 10, 2026. Not because of a market crash. Not because of an exploit. The protocol's own oracle infrastructure mispriced collateral.
The asset at the center of this was wstETH (Lido's wrapped staked Ether), a yield-bearing token where 1 wstETH is typically worth a bit more than 1 ETH because it accrues staking rewards over time. On March 10, wstETH's real market rate sat around 1.228 ETH. Aave's CAPO oracle was reporting roughly 1.194 ETH, a 2.85% undervaluation.
That 2.85% doesn't sound like much, but it was enough to push 34 high-leverage E-Mode positions below their collateral thresholds. Once that line is crossed, liquidation bots don't ask questions. They just execute. The damage hit $21.2 million on Aave V3 Ethereum Core and $5.7 million on Aave Prime, with bots collecting roughly 499 ETH in bonuses and profits.
The Root Cause: Desynchronized CAPO Parameters
CAPO (Correlated Asset Price Oracle) is the system Aave uses to limit how fast yield-bearing token valuations can grow inside the protocol. It's operated by Chaos Labs and exists to prevent price manipulation through artificial exchange rate spikes. The setup is a hybrid: off-chain Chaos Oracles calculate and push rate updates, while BGD Labs' on-chain smart contracts verify and enforce them.
Under the hood, CAPO tracks two coupled parameters on-chain:
- Snapshot ratio (
snapshotRatio): a reference exchange rate for the asset - Snapshot timestamp: when that ratio was last recorded
Together with a maxYearlyRatioGrowthPercent value, these enforce a time-weighted ceiling on how high the exchange rate can go at any given moment.
Here's where things went wrong. An off-chain update tried to bring the snapshot ratio up to ~1.2282 to match wstETH's actual market value. But the protocol's growth-rate safeguards wouldn't allow that big of a jump in one shot, so the update had to be split across multiple transactions.
During that multi-step process, the snapshot ratio and its timestamp got out of sync. CAPO then calculated a maximum allowable exchange rate that was below the real market value of wstETH. In other words, the protocol thought collateral was worth less than it actually was.
Chaos Labs put it this way: the incident stemmed from "a mismatch between stale parameters stored in a smart contract, including a reference exchange rate and its associated timestamp."
Impact Breakdown
| Metric | Value |
|---|---|
| Positions liquidated | 34 accounts (~10,938 wstETH) |
| Total liquidation volume | ~$27 million |
| Aave V3 Ethereum Core | ~$21.2 million |
| Aave Prime | ~$5.7 million |
| Liquidator profits | ~499 ETH |
| Protocol bad debt | $0 |
| wstETH 24h trading volume | ~$10 million |
With ETH trading around $2,050 that day, the liquidator haul came out to roughly $1M. The thin wstETH trading volume meant fewer eyes on the discrepancy while it was happening.
Response and Remediation
Chaos Labs moved quickly to contain the damage:
- Reduced wstETH borrowing limits to stop further exposure
- Manually corrected the out-of-sync snapshot parameters
- Recovered 154 ETH (141 ETH via BuilderNet refunds, 13 ETH in liquidation fees), which will go directly to affected users
- Set aside up to 345 ETH from the Aave DAO treasury to cover the remaining shortfall
Aave Labs founder Stani Kulechov said "there was no impact to the Aave Protocol" in terms of bad debt, and noted that "a technical misconfiguration resulted in the liquidation of positions that were already close to their liquidation thresholds."
Chaos Labs CEO Omer Goldberg stressed that "risk oracles are critical infrastructure for Aave and have secured hundreds of billions in loans, liquidations, and markets since go-live," and confirmed "every affected user will be fully reimbursed."
A Lido contributor told CoinDesk: "The cause has nothing to do with wstETH itself, how it works or the Lido protocol which continue to operate normally."
Lessons for DeFi Security
1. Coupled parameters need atomic updates. This wasn't a logic bug or external manipulation. Two values that have to move in lockstep got updated separately, and the intermediate state was enough to trigger $27M in liquidations. If your protocol relies on paired parameters, validate that no downstream logic can consume a half-updated state.
2. Safety mechanisms can backfire. The growth-rate cap is there to prevent manipulation. But it was also the reason the update had to be split into multiple transactions, which opened the window for desynchronization in the first place. When you design safeguards, think about what happens during the update process they impose, not just the steady state they protect.
3. Bots don't care if the price is wrong. 499 ETH gone in hours. On-chain liquidation infrastructure will act on any signal, right or wrong. Protocols sitting on billions in TVL should seriously consider circuit breakers that pause liquidations when oracle readings deviate beyond expected bounds.
4. Oracle risk is protocol risk. This isn't an isolated event. On February 15, 2026, Moonwell's cbETH oracle misconfiguration priced cbETH at ~$1.12 instead of ~$2,200 (a missing ETH/USD multiplication), causing $1.8 million in bad debt. Oracle infrastructure needs the same level of rigor as core smart contract code. That includes formal verification of parameter update flows.
Preventing This in Your Protocol
Oracle misconfigurations are a DeFi security problem, not just an operational one. A professional audit of your oracle integration should cover parameter update atomicity, growth-rate cap edge cases, and intermediate-state exposure during multi-step updates.
Sentinel flags exactly these patterns: coupled parameters that can desynchronize, safeguard mechanisms that create update windows, and liquidation logic that consumes unvalidated oracle state. After deployment, Tripwire monitors your oracle feeds in real time and alerts on deviations before liquidation bots can act on stale data.
If your protocol depends on oracle infrastructure, get it audited before an incident forces the conversation.
Sources
- CoinDesk — DeFi Lending Platform Aave Sees $27M Liquidations After Price Glitch
- Protos — Oracle Error Adds to Turmoil at DeFi Giant Aave
- Blockonomi — $27 Million Aave Liquidation Event Sparked by Oracle Configuration Error
- The Block — Moonwell Hit With $1.8M Bad Debt After Oracle Misconfiguration
- Decrypt — Oracle Error Leaves DeFi Lender Moonwell With $1.8M in Bad Debt
- BGD Labs — Aave CAPO GitHub Repository
- Fortune — Ethereum Price, March 10, 2026
