DeFi's largest lending protocol liquidated $27.1 million in user positions on March 10 because an oracle's reference timestamp was a week out of date. The error, buried in a single smart contract parameter, caused Aave to undervalue Lido's wrapped staked Ether (wstETH) by 2.85% for long enough to trigger forced sales across 34 borrower accounts.
A Stale Timestamp Broke the Pricing Ceiling
The culprit was CAPO, short for Configurable Price Oracle, a risk-oracle framework that Aave uses to cap the exchange rates of yield-bearing tokens. CAPO exists to prevent oracle-manipulation attacks: it places a deterministic, time-weighted upper bound on the rate between assets like wstETH and their base token, stETH. If the market rate suddenly spikes beyond what CAPO considers plausible, the system caps it and protects the protocol from artificial inflation.
The problem on March 10 was the opposite. A mismatch between two parameters, the snapshotRatio and the snapshotTimestamp, caused CAPO to compute a maximum exchange rate of approximately 1.1939 ETH per wstETH. The actual market rate was closer to 1.23 ETH.
Here is why. The snapshotRatio could only increase by 3% every three days due to an on-chain constraint. But the snapshotTimestamp had no equivalent safeguard. An off-chain calculation targeted a ratio near 1.2282, but the on-chain value could only reach 1.1919 after the constrained update. The timestamp, meanwhile, was set to a reference point seven days in the past. CAPO interpreted this as meaning the rate had been 1.1919 for a full week, computed the maximum allowed growth from that baseline, and landed on a ceiling that was 2.85% below reality.
Every borrower whose wstETH collateral was priced using that deflated rate suddenly appeared undercollateralized. Liquidation bots did what they are designed to do.
10,938 wstETH Liquidated, Zero Bad Debt
Chaos Labs, the risk management firm that operates CAPO for Aave, published a post-mortem within hours. The numbers: 10,938 wstETH liquidated across 34 accounts on Aave v3's Core and Prime instances. Liquidators captured roughly 499 ETH in bonuses and arbitrage profit, with 382 ETH of that coming from pure arbitrage on the price discrepancy. The protocol itself accrued zero bad debt.
Aave Labs founder Stani Kulechov framed the incident as contained. "There was no impact to the Aave Protocol," he stated, pointing to the absence of bad debt as evidence that the system's safety margins held even during the glitch.
A Lido contributor clarified that the error had "nothing to do with wstETH itself, how it works, or the Lido protocol." The token's on-chain exchange rate was correct the entire time. Only Aave's interpretation of it was wrong.
The Compensation Math
Chaos Labs CEO Omer Goldberg committed to full reimbursement for every affected user. The recovery plan breaks down as follows:
- 141.5 ETH recovered via BuilderNet refunds (from MEV recapture during the liquidation process)
- 13 ETH in liquidation fees clawed back by the protocol
- Up to 345 ETH from the Aave DAO treasury to cover any remaining shortfall
At current ETH prices (approximately $2,021 as of March 11, 2026), the maximum treasury outlay would be around $697,000. For a protocol that has processed hundreds of billions in cumulative loan volume, it is a manageable hit. But the precedent it sets is worth more than the dollar amount.
"Risk oracles are critical infrastructure for Aave and have secured hundreds of billions in loans, liquidations, and markets since go-live," Goldberg said, noting that CAPO had previously processed over 1,200 payloads and 3,000 parameters without incident.
What wstETH Borrowers Should Watch
The immediate risk has been resolved. Chaos Labs reduced wstETH borrow caps to 1 on both Core and Prime instances as a precaution, then manually realigned the snapshot ratio with the correct timestamp via Risk Steward. A governance proposal to reinstate normal caps (180,000 for Core, 70,000 for Prime) is expected shortly.
For users who were liquidated, the compensation process will flow through governance. No timeline has been published, but DAO treasury disbursements on Aave typically take one to two weeks after a proposal passes.
The larger concern is whether CAPO's parameter update mechanism needs a redesign. Community member hsim.dev raised a design-level point on the governance forum: if the snapshotRatio is constrained but the snapshotTimestamp is not, any future misalignment between the two creates the same failure mode. Chaos Labs has not yet responded to whether structural changes are planned beyond the immediate fix.
Oracle Risk Is DeFi's Quiet Systemic Threat
This incident did not involve a hack, an exploit, or a malicious actor. It was a configuration error, the kind of bug that exists in every complex system. That is what makes it instructive.
Aave holds over $25 billion in total value locked across multiple chains. Every dollar of that depends on oracles reporting accurate prices. Chainlink handles most of the raw price feeds, but CAPO sits on top as an additional safety layer. When the safety layer itself misfires, the protocol's defenses work against its own users.
DeFi lending protocols have matured significantly since the early flash-loan oracle attacks of 2020 and 2021. But the attack surface has shifted from external manipulation to internal misconfiguration. The wstETH incident is the second oracle-related event on a major lending protocol this year, following a smaller pricing discrepancy on Compound in January.
For crypto card users who hold wstETH or staked ETH positions, the takeaway is practical. Self-custody cards that let you spend directly from your wallet avoid the counterparty risk of centralized platforms, but they do not protect you from DeFi protocol risk if your collateral is deployed in lending markets. Understanding where your assets sit in the stack, wallet versus lending pool versus staking contract, determines which risks you are actually exposed to.
The Governance Tension Underneath
The oracle glitch landed during an already tense period for Aave governance. The Aave Chan Initiative, one of the protocol's most active governance delegates, recently decided not to renew its engagement with the DAO over concerns about decision-making processes. That departure has left a gap in governance oversight at a moment when technical incidents require fast, coordinated responses.
Chaos Labs filled the gap here by publishing the post-mortem and committing to compensation within hours. But the question of who audits the auditors, who checks CAPO's parameter updates before they go on-chain, remains open. Community members Frida and pcx both questioned Chaos Labs' accountability on the governance forum, asking whether the firm should bear financial responsibility beyond the recovered ETH.
Overview
A seven-day-old timestamp in Aave's CAPO risk oracle caused the system to undervalue wstETH by 2.85%, triggering $27.1 million in forced liquidations across 34 borrower accounts on March 10, 2026. Liquidators captured 499 ETH in profits. Chaos Labs, which operates CAPO, committed to full user compensation using recovered funds and up to 345 ETH from the Aave DAO treasury. The protocol suffered zero bad debt, but the incident exposed a design gap in how CAPO synchronizes its rate-capping parameters. With Aave holding over $25 billion in TVL, the reliability of its oracle infrastructure carries systemic weight for DeFi lending.
