Aave CAPO Oracle $27.78M Liquidation

1/ Aave's anti-manipulation oracle system just became the attacker.
$27.78M in wstETH liquidated. 34 accounts wiped. Zero human involvement.
The safety system designed to protect users executed the hit itself.
2/ Background: Aave uses CAPO (Chainlink Automation-Powered Oracle), built by Chaos Labs + BGD Labs.

• Chaos Labs Edge Risk Engine (off-chain) calculates safe parameters
• AgentHub (on-chain) executes via Chainlink Automation
• No multisig. No human review. One-block execution. Designed for speed. Which is exactly the problem. 3/ On March 10, 2026, the Edge Risk Engine submitted a wstETH snapshotRatio update. TX: 0xfbafeaa8c58dd6d79f88cdf5604bd25760964bc8fc0e834fe381bb1d96d3db95 One block later, AgentHub executed it on-chain. TX: 0x32c64151469cf2202cbc9581139c6de7b34dae2012eba9daf49311265dfe5a1e CAPO now priced wstETH at ~1.19 ETH. Market rate: ~1.228849 ETH. Gap: 2.85%. 4/ 2.85% doesn't sound like much. But wstETH positions in E-Mode operate at extreme leverage with razor-thin margins. 2.85% oracle error → 34 accounts liquidated → 10,938 wstETH → $27.78M gone. 5/ wstETH is NOT ETH. It's Lido's wrapped staked ETH — a yield-bearing token that trades at a premium to ETH (~1.228849 ETH per wstETH on March 10). When CAPO reported 1.19 ETH instead, it told Aave's liquidation engine that users had significantly less collateral than they actually did. 6/ Root cause: "configuration mismatch between two parameters that should have moved in sync." Not a hack. Not a flash loan attack. A configuration error in the system designed to prevent exactly these kinds of events. Irony level: maximum. 7/ Response timeline: 🔴 LTV Protocol (third-party monitor) spotted the anomaly FIRST — before Aave's official post-mortem. 🟡 Chaos Labs immediately reduced wstETH borrowing caps to 1. 🟢 Full compensation promised to all affected users. 8/ Two statements, two framing strategies: Omer Goldberg (Chaos Labs CEO): "A misconfiguration... All affected users will be fully compensated."→ We broke it. We'll fix it. Stani Kulechov (Aave founder): "Technical misconfiguration caused the liquidation of positions that were already close to liquidation threshold."→ It broke. But they were playing with fire. 9/ CAPO had pushed 1,200+ payloads covering 3,000+ parameters before this. Zero failures. Then one configuration mismatch caused $27.78M in liquidations. High reliability breeds complacency. The system that never fails is the system you stop watching. 10/ What this means for DeFi:
• Automated safety systems can become automated attack vectors
• One-block execution is great for defense, terrible for catching your own errors
• E-Mode amplifies oracle risks — thin margins + bad data = liquidation cascade
• Third-party monitors provide critical independent oversight
• "Never failed before" is not a security guarantee 11/ The question nobody's asking: Should there be a time-lock or circuit breaker for the safety system itself? Speed without checks isn't safety. It's a loaded gun on a hair trigger. 12/ Sources:• Parameter update TX: etherscan.io/tx/0xfbafeaa8...• Execution TX: etherscan.io/tx/0x32c64151...• Borrow cap reduction: etherscan.io/tx/0x34f568b2...• Aave post-mortem: governance.aave.com/t/post-mortem-...• LTV Protocol: x.com/ltvprotocol/status/2031351985845248370• CoinDesk: coindesk.com/business/2026/03/10/... #DeFi #Aave #Oracle #Web3Security #Ethereum