Aave Oracle Glitch Triggers $27M in Unfair wstETH Liquidations
β‘ A Cascade Nobody Saw Coming On March 10, 2026, users of Aave, one of DeFi's largest lending protocols, woke up to a jarring surprise: their wstETH collateral positions had been forcibly liquidated, not because the market crashed, but because of a configuration error deepβ¦
β‘ A Cascade Nobody Saw Coming
On March 10, 2026, users of Aave, one of DeFi's largest lending protocols, woke up to a jarring surprise: their wstETH collateral positions had been forcibly liquidated, not because the market crashed, but because of a configuration error deep inside Aave's own risk infrastructure. Roughly 10,938 wstETH, worth approximately $27 million at the time, was sold off across 34 user accounts. The trigger was a mismatch in Aave's Correlated Asset Price Oracle, known as CAPO, which caused the system to treat wstETH as significantly less valuable than it actually was. For the users affected, the loss was real and immediate. The AAVE token slipped roughly 1.6% in the 24 hours following the event, trading around $110, as the broader community processed the incident and demanded answers from Aave's risk managers and developers.
π§ Inside the CAPO Misconfiguration
CAPO is a protective mechanism built into Aave's oracle layer. Its job is to limit how quickly yield-bearing tokens like wstETH can appear to increase in value, which guards against price manipulation. However, that same protection became the source of harm on March 10. An off-chain algorithm attempted to update the wstETH exchange rate snapshot to reflect the current market value of approximately 1.228 wstETH per ETH. The problem: a smart contract constraint caps any single CAPO update at a 3% increase per 72-hour period. When that constraint kicked in, the snapshot ratio and its associated timestamp fell out of sync, and the oracle settled on a maximum allowed exchange rate of roughly 1.1939. That was 2.85% below the real market value, enough to push dozens of borrowing positions below their safety thresholds and trigger automatic liquidation.
πΈ Who Got Hit and Who Profited
The incident affected 34 accounts that were holding wstETH as collateral in Aave's E-Mode, a feature designed for highly correlated assets. These users were not reckless borrowers. Their positions were in good standing under actual market prices. The protocol's own mispricing pulled the rug from under them. As liquidations executed, external liquidators moved quickly to capture the opportunity. Those third-party actors walked away with approximately 499 ETH in bonus rewards, equivalent to over $1 million at current prices. Aave itself recorded a realized loss of 345 ETH on the protocol side. Risk management firm Chaos Labs confirmed that no bad debt was created for the protocol, meaning Aave's broader solvency was never at risk. Still, for the 34 affected users, the damage was done.
π Aave's Response: Fixes, Caps, and Compensation
Aave moved quickly to contain the damage. Developers temporarily capped wstETH borrowing limits to 1, effectively halting new wstETH-backed loans while they worked on a fix. Chaos Labs applied a manual Risk Steward intervention to resync the snapshot ratio and timestamp, restoring the oracle to its correct configuration. Beyond the technical fix, Chaos Labs founder Omer Goldberg stated publicly that all affected users will be fully reimbursed. Aave recaptured 141 ETH in liquidation bonus revenue through BuilderNet refunds, along with 13 ETH in liquidation fees. These recovered funds will be directed to affected users first, with any remaining shortfall covered by the Aave DAO treasury. Aave Labs CEO Stani Kulechov also clarified on X that the protocol itself was not harmed, calling it a "technical misconfiguration" rather than a systemic failure.
π Oracle Risk: A Known and Growing Problem in DeFi
The Aave incident is not an isolated case. Oracle risk is one of the most persistent vulnerabilities across the DeFi ecosystem. In a comparable incident, DeFi lender Moonwell suffered nearly $1.8 million in bad debt after a price oracle misconfigured Coinbase Wrapped ETH, briefly valuing cbETH at roughly $1 instead of $2,200. According to security research, oracle-based attacks accounted for over 31% of early 2025 DeFi losses, with attack patterns ranging from flash loan manipulation to configuration errors like the one seen here. What distinguishes the Aave incident is that it was not an external attack. It was an internal misconfiguration, which in some ways is more troubling, because it suggests that even well-audited, mature protocols remain vulnerable to subtle parameter mismatches during routine updates.
π― What This Means for DeFi Investors and Borrowers
The Aave oracle incident is a reminder that DeFi is still a maturing system, and even top-tier protocols can experience technical failures that harm users through no fault of their own. For borrowers, the lesson is practical: positions that sit close to liquidation thresholds carry hidden risk, not just from market volatility, but from the infrastructure that monitors them. Maintaining a comfortable buffer above liquidation levels provides protection against unexpected oracle deviations. For investors, the fact that Aave's protocol remained solvent, that recovery funds were mobilized quickly, and that reimbursement commitments were made publicly within 24 hours speaks to the protocol's institutional maturity. Aave has now processed over $4.65 billion in liquidations historically without a systemic failure. This incident, while painful for those affected, is likely to produce better oracle safeguards and a stronger protocol overall.
Sources
https://cryptorank.io/news/feed/4df94-aave-oracle-glitch-wipes-out-27m https://www.coindesk.com/business/2026/03/10/defi-lending-platform-aave-sees-a-rare-usd27-million-liquidations-after-a-price-glitch https://www.tradingview.com/news/cointelegraph:6e91b3da1094b:0-aave-wsteth-glitch-forces-27m-in-liquidations-and-compensation/ https://governance.aave.com/t/post-mortem-exchange-rate-misallignment-on-wsteth-core-and-prime-instances/24269 https://forklog.com/en/oracle-malfunction-in-aave-leads-to-26-million-liquidations/ https://medium.com/@instatunnel/smart-contract-oracle-manipulation-the-8-8m-data-poisoning-ff0712c43ab8
Market Munchies and Mode Mobile communications are for informational purposes only, and are not a recommendation, solicitation, or research report relating to any investment strategy, security, or digital asset. All investments involve risk including the loss of principal and past performance does not guarantee future results.
Any information contained in this commentary does not purport to be a complete description of the securities, markets, or developments referred to in this material. The information has been obtained from sources considered to be reliable, but we do not guarantee that the foregoing material is accurate or complete. There is no guarantee that any statements or opinions provided herein will prove to be correct.
Get fresh insights, breaking news, and hidden gems in the world of cryptoβdelivered straight to your inbox with our Crypto Cookies newsletter. Don't miss outβsign up now and get your first bite of insider knowledge!