How an Aave oracle failure triggered $21.7M in liquidations and tested DeFi risk governance
On March 10, a technical misconfiguration in the aave oracle infrastructure led to forced liquidations, stress-testing DeFi’s reliance on automated risk systems.
The $21.7M liquidation event on Aave
Aave users suffered approximately $21.7M in liquidations on March 10 after an on-chain constraint in the Wrapped stETH (wstETH) risk agent caused collateral values to be understated. In total, 34 accounts were liquidated because the protocol valued wstETH at roughly 2.85% below its true market price.
The protocol ultimately incurred no bad debt and compensated affected users. However, the event exposed structural weaknesses in how automated DeFi risk management executes changes without human intervention. It also showed how quickly a misconfigured parameter can cascade into large-scale liquidations of otherwise healthy positions.
According to post-incident data, users holding wstETH as collateral against WETH debt appeared undercollateralized only because of the incorrect valuation. Moreover, their positions would have remained safe at actual market prices, underscoring that the failure was infrastructural rather than market-driven.
The mechanics of the CAPO failure
The incident originated in Aave’s CAPO (Correlated Asset Price Oracle) system, built to protect against manipulation of assets with correlated prices, such as wstETH and stETH. CAPO fetches the wstETH/stETH ratio from Lido, applies a protective cap through the WstETHPriceCapAdapter, then multiplies the result by the ETH price to obtain a USD valuation.
At 12:47 UTC on March 10, Chaos Labs‘ off-chain Edge Risk engine recommended updating the CAPO maximum price to 1.1933947 wstETH/ETH. At that moment, the actual market ratio stood at 1.2285, implying that the proposed cap was already materially below prevailing prices.
BGD‘s AgentHub executed this recommendation one block later via its Oracle Automation system, without any review buffer between the off-chain recommendation and the on-chain implementation. That said, this instantaneous pipeline is precisely what turned a configuration error into an immediate user-impacting event.
The resulting 2.85% misalignment caused the protocol to undervalue wstETH collateral. As a result, accounts that should have been safe according to real market data were flagged as undercollateralized and liquidated. The cascade processed 10,938 wstETH across 34 accounts and generated approximately 512 ETH in liquidation bonuses for liquidators before the issue was detected and reversed.
Technical root cause: snapshot misalignment
The technical failure stemmed from a parameter mismatch between snapshotRatio and snapshotTimestamp within CAPO. Chaos Labs’ off-chain Risk Agent calculated a target ratio of approximately 1.2282, anchored to a 7-day-old snapshot. However, the on-chain system constrained how fast the ratio could move.
Under CAPO’s protective rules, the previous on-chain value of roughly 1.1572 could only increase by 3% every 3 days. In practice, this meant the ratio could rise only to about 1.1919 in a single update, even if the off-chain target had drifted higher. Moreover, the update did not align these constraints with the timestamp logic.
The snapshotTimestamp was set as if the on-chain anchor already reflected the 7-day-old off-chain ratio of 1.2282. This created a critical inconsistency between time and price references. Consequently, CAPO computed a maximum exchange rate of approximately 1.1939, about 2.85% below the true market rate of 1.2285.
This incident marked the first automated update pushed on-chain by Chaos Labs’ CAPO Risk Agent since its deployment. That said, the fact that the inaugural execution produced user liquidations made the misconfiguration particularly alarming for both governance and users.
The automated execution chain from Edge Risk to AgentHub
Edge Risk is Chaos Labs’ proprietary off-chain risk engine that prepares and pushes parameter changes from a designated address. AgentHub, developed by BGD, listens for these changes using Oracle Automation and then propagates them to the protocol.
The faulty parameter change moved through Chaos Labs’ automated risk stack in a two-transaction sequence. First, the Edge Risk engine recommended changing the cap to 1.191926 wstETH/ETH in transaction 0xfbafeaa8c58dd6d79f88cdf5604bd25760964bc8fc0e834fe381bb1d96d3db95. Then, AgentHub executed the change one block later via transaction 0x32c64151469cf2202cbc9581139c6de7b34dae2012eba9daf49311265dfe5a1e.
Daily liquidations across Aave in February were relatively modest, rarely exceeding $5M, as market conditions stayed stable. The March 10 spike to $21.6M stands out as an isolated outlier, roughly a 4x jump from typical levels. Moreover, liquidation volumes quickly returned to baseline after the correction, confirming that the stress came from the oracle path rather than broader protocol insolvency.
This behavior strengthened the conclusion that the wstETH pricing issue was a discrete configuration failure. It was not a symptom of deteriorating collateral quality, liquidity problems, or systemic deleveraging within the Aave ecosystem.
Detection, mitigation, and liquidation compensation plan
The misconfiguration was detected within minutes, prompting an accelerated incident response from the Aave team and its risk providers. To contain further exposure, wstETH borrow caps on both Aave Core and Aave Prime were promptly reduced to 1, effectively freezing new borrowing activity against that asset.
Through manual Risk Steward intervention, the team realigned the snapshotRatio with the live snapshotTimestamp, restoring the oracle feed to its correct value. An oracle correction was pushed via transaction 0xb883ad2f1101df8d48f014ba308550f3251c2e0a401e7fc9cf09f9c2a158259d, while the borrow cap changes to set wstETH borrow capacity to 1 wstETH were executed via transaction 0x34f568b28dbcaf6a8272038ea441cbc864c8608fe044c590f9f03d0dac9cf7f8.
Despite the forced selling, the protocol incurred no bad debt and published a detailed post-mortem to the Aave governance forums. However, user losses from liquidations required a separate policy response, ultimately leading to a structured liquidation compensation plan.
To compensate affected accounts, Aave recaptured 141.5 ETH in liquidation bonuses through BuilderNet refunds. The DAO treasury then covered the remaining gap, with total user restitution capped at 358 ETH. Importantly, the plan was implemented via a direct Aave Improvement Proposal (AIP), ensuring affected users received full compensation despite the error originating in infrastructure.
Market context around the March 10 incident
Cross-chain activity on Aave showed robust user growth during the February–March window. For instance, Avalanche recorded 38,445 depositing users on February 10, while Base logged 31,763 depositing users on March 6, just four days before the oracle-driven liquidation event.
These spikes highlight growing user engagement across Aave-supported networks, even as the protocol navigated a complex technical incident. Moreover, Aave’s overall deposits and borrowings remained stable throughout early 2026, suggesting that confidence in the protocol’s core design did not materially weaken after the event.
The stability of deposits, combined with the rapid normalization of liquidations, underscores that the wstETH mispricing arose from configuration issues, not from fundamental stress in collateral markets. That said, concentration risk in automation providers and oracle pathways remains a structural concern for DeFi platforms at Aave’s scale.
Governance, transparency, and the future of automated oracle execution
The March 10 incident illustrates the governance trade-offs created by automated oracle execution in major DeFi lending protocols. Chaos Labs’ Edge Risk recommended a cap below market, BGD’s AgentHub executed it one block later, and liquidations followed within minutes, leaving almost no time for human intervention.
Aave responded with swift detection, decisive corrective actions, and full user compensation funded in part by the DAO treasury. However, the episode revealed shortcomings in pre-execution validation and highlighted the risks of over-reliance on a single, proprietary risk engine. In particular, the closed nature of Chaos Labs Edge Risk calculations limits independent verification and places significant operational control in the hands of external service providers.
As more DeFi protocols adopt automated CAPO Risk Agent frameworks and similar systems, the incident shows that governance must incorporate robust testing, explicit review windows, and transparent oversight. Moreover, the broader aave oracle architecture will likely need additional safety layers, such as multi-source cross checks or staged rollout mechanisms, to ensure that future technical errors do not translate directly into user losses.
In summary, the March 10 liquidations were not a market crisis but a governance and infrastructure stress test. The combination of automation, rapid execution, and opaque risk modeling underscores why DeFi protocols must balance efficiency with transparent, auditable safeguards to protect users.
You May Also Like
From Early Trading Losses to Global Impact: Somesh’s Journey to Building an Int’l Trading Community
Bitcoin and Ethereum prices to crash after FOMC, top analyst warns
