Aave Fork on Blast Erroneously Liquidates $26 Million in Positions

The lending protocol Pac Finance, modeled after Aave and based on the L2 solution Blast, encountered unexpected liquidations of user positions amounting to $26 million.

Random Aave fork on Blast decreased Liquidation Threshold (LT) instead of Loan to Value (LTV) causing $26M worth of unnecessary liquidations.

Fundamental problem with forking code is the lack of in-depth knowledge of the software and the parameters. https://t.co/eTNBlNBoqg

— Stani^ (@StaniKulechov) April 12, 2024

“An ill-considered Aave fork on Blast reduced the liquidation threshold (LT) instead of the loan-to-value ratio (LTV), leading to unjustified closures of positions worth $26 million. The fundamental problem with using code is the lack of fundamental knowledge about the software and its parameters,” commented Stani Kulechov, founder and CEO of Avara.

The Pac Finance team stated that they are aware of the incident and are “in contact with the affected users.”

Thank you for letting us know Will. We are aware of the issue and are in contact with the impacted users, actively developing a plan with them to mitigate the issue.

In our effort to adjust the LTV, we tasked a smart contract engineer to make the necessary changes. However, it…

— Pac Finance (@pac_finance) April 11, 2024

“In an attempt to adjust the LTV, we tasked a smart contract engineer to make the necessary changes. However, we discovered that the liquidation threshold was unexpectedly altered without our knowledge, leading to the current issue,” the developers admitted.

They stated that in the future, they intend to implement a contract for managing limits and a forum for discussing all future updates to ensure they are well-planned.

Crypto analyst known as 0xLoki noted that 93% of the liquidations were executed by a single address, whose owner profited approximately 244 ETH (~$854,000).

In his view, the Pac Finance team should determine who benefited.

“If the liquidator and the parameter modifier are connected, then it is fraud. If not, it is merely an incident,” he noted.

Back in March, an exploit of the gaming Web3 platform Munchables on Blast was the largest incident of the month, causing $97 million in damage. The hacker returned all the funds without any conditions.