March 2026 delivered three brutal lessons in a single week: Venus Protocol lost $3.7M to a donation attack that bypassed supply caps, Solv Protocol hemorrhaged $2.7M through a double-mint reentrancy in its BRO vault, and an Aave user accidentally vaporized $50M in a swap with 99.9% price impact.
Three different protocols. Three different attack vectors. One common missing defense: an on-chain circuit breaker that could have stopped each exploit mid-transaction.
This isn't a post-mortem. This is the engineering guide to building the circuit breaker that would have caught all three.
Why Static Guards Failed
Every affected protocol had security measures:
- Venus had supply caps — but the donation attack bypassed them by inflating collateral value after the cap check
- Solv had access controls — but the reentrancy exploited callback ordering within a single authorized call
- Aave had slippage warnings — but frontend warnings don't prevent on-chain execution
The pattern: point-in-time checks at function entry don't catch attacks that manipulate state during execution.
Circuit breakers solve this by checking invariants — properties that must hold true at every state transition, not just at the door.
The ERC-7265 Circuit Breaker Pattern
ERC-7265 proposes a standardized circuit breaker interface. Here's the minimal production version:
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.24;
abstract contract CircuitBreaker {
enum Status { ACTIVE, TRIPPED, COOLDOWN }
Status public breakerStatus;
uint256 public trippedAt;
uint256 public cooldownPeriod;
// Rate limiting: track outflows per asset per window
mapping(address => uint256) public windowOutflow;
mapping(address => uint256) public windowStart;
uint256 public windowDuration;
mapping(address => uint256) public maxOutflowPerWindow;
event BreakerTripped(string reason, uint256 timestamp);
event BreakerReset(uint256 timestamp);
error CircuitBreakerTripped();
error OutflowLimitExceeded(address asset, uint256 attempted, uint256 limit);
modifier withBreaker() {
if (breakerStatus == Status.TRIPPED) revert CircuitBreakerTripped();
_;
_checkInvariants();
}
modifier trackOutflow(address asset, uint256 amount) {
_;
_recordOutflow(asset, amount);
}
function _recordOutflow(address asset, uint256 amount) internal {
if (block.timestamp > windowStart[asset] + windowDuration) {
windowStart[asset] = block.timestamp;
windowOutflow[asset] = 0;
}
windowOutflow[asset] += amount;
if (windowOutflow[asset] > maxOutflowPerWindow[asset]) {
breakerStatus = Status.TRIPPED;
trippedAt = block.timestamp;
emit BreakerTripped("Outflow limit exceeded", block.timestamp);
revert OutflowLimitExceeded(asset, amount, maxOutflowPerWindow[asset]);
}
}
function _checkInvariants() internal virtual;
function _resetBreaker() internal {
require(block.timestamp >= trippedAt + cooldownPeriod, "Cooldown active");
breakerStatus = Status.ACTIVE;
emit BreakerReset(block.timestamp);
}
}
Invariant #1: The Venus Fix — Collateral Value Sanity Check
Venus's exploit worked because the attacker inflated collateral value within a single transaction using a donation attack. A circuit breaker that checks collateral-to-debt ratios against a maximum rate of change would have caught this:
contract LendingBreaker is CircuitBreaker {
uint256 public maxCollateralChangePerBlock = 500; // 5% in basis points
mapping(address => uint256) public lastCollateralValue;
mapping(address => uint256) public lastCollateralBlock;
function _checkCollateralInvariant(address asset) internal {
uint256 currentValue = _getCollateralValue(asset);
if (lastCollateralBlock[asset] == block.number) {
// Same block: check rate of change
uint256 previousValue = lastCollateralValue[asset];
if (previousValue > 0) {
uint256 changePercent = ((currentValue > previousValue)
? (currentValue - previousValue) * 10000 / previousValue
: 0);
if (changePercent > maxCollateralChangePerBlock) {
breakerStatus = Status.TRIPPED;
trippedAt = block.timestamp;
emit BreakerTripped(
"Collateral value changed too fast",
block.timestamp
);
revert("CB: collateral manipulation detected");
}
}
}
lastCollateralValue[asset] = currentValue;
lastCollateralBlock[asset] = block.number;
}
}
How this catches the Venus attack: The attacker donated tokens to inflate THE's collateral value by ~400% in a single block. A 5% per-block cap trips the breaker instantly.
Invariant #2: The Solv Fix — Mint-to-Deposit Ratio Guard
Solv's double-mint exploit let the attacker mint far more BRO tokens than their deposit justified. The invariant: total minted tokens must never exceed total deposits × conversion rate, checked after every mint:
contract MintBreaker is CircuitBreaker {
uint256 public totalDeposited;
uint256 public totalMinted;
uint256 public conversionRate; // tokens per unit deposited
uint256 public tolerance = 100; // 1% tolerance in basis points
function _checkMintInvariant() internal {
uint256 expectedMaxMint = totalDeposited * conversionRate / 1e18;
uint256 allowedMint = expectedMaxMint * (10000 + tolerance) / 10000;
if (totalMinted > allowedMint) {
breakerStatus = Status.TRIPPED;
trippedAt = block.timestamp;
emit BreakerTripped("Mint exceeds deposits", block.timestamp);
revert("CB: mint invariant violated");
}
}
function deposit(uint256 amount) external withBreaker {
// ... transfer tokens in ...
totalDeposited += amount;
uint256 mintAmount = amount * conversionRate / 1e18;
totalMinted += mintAmount;
// ... mint tokens ...
_checkMintInvariant();
}
}
How this catches the Solv attack: The reentrancy triggered deposit callbacks that re-minted tokens without additional deposits. After the second mint, totalMinted exceeds totalDeposited × conversionRate and the breaker trips.
Invariant #3: The Aave Fix — Price Impact Guard
The $50M Aave swap wasn't an exploit — it was a user error that no on-chain guard prevented. Aave has since announced "Aave Shield" to block swaps with >25% price impact. Here's the pattern:
contract SwapBreaker is CircuitBreaker {
uint256 public maxPriceImpactBps = 2500; // 25%
function _checkSwapInvariant(
address tokenIn,
address tokenOut,
uint256 amountIn,
uint256 amountOut
) internal view {
// Get oracle price for expected output
uint256 expectedOut = _getOracleQuote(tokenIn, tokenOut, amountIn);
if (expectedOut == 0) return; // No oracle available
// Calculate actual price impact
uint256 impact = expectedOut > amountOut
? (expectedOut - amountOut) * 10000 / expectedOut
: 0;
if (impact > maxPriceImpactBps) {
revert("CB: price impact exceeds threshold");
}
}
}
How this catches the Aave disaster: The user swapped into a pool with virtually no liquidity, receiving tokens worth ~$100K for $50M in input. A 25% impact threshold catches this before execution completes.
Composing Circuit Breakers in Production
Real protocols need multiple invariants. Here's how to compose them:
contract ProtocolWithBreakers is LendingBreaker, MintBreaker, SwapBreaker {
function _checkInvariants() internal override {
// Check all relevant invariants
_checkCollateralInvariant(msg.sender);
_checkMintInvariant();
// Swap invariant is checked inline during swaps
}
function borrow(
address asset,
uint256 amount
) external withBreaker trackOutflow(asset, amount) {
// ... borrow logic ...
}
function swap(
address tokenIn,
address tokenOut,
uint256 amountIn,
uint256 minAmountOut
) external withBreaker {
uint256 amountOut = _executeSwap(tokenIn, tokenOut, amountIn);
require(amountOut >= minAmountOut, "Slippage");
_checkSwapInvariant(tokenIn, tokenOut, amountIn, amountOut);
}
}
Automating Recovery with Chainlink Automation
A tripped breaker needs a recovery path. Manual-only recovery creates governance bottleneck risk. Chainlink Automation can handle the cooldown-and-reset flow:
import {AutomationCompatibleInterface} from "@chainlink/contracts/src/v0.8/automation/AutomationCompatible.sol";
contract AutoResetBreaker is CircuitBreaker, AutomationCompatibleInterface {
function checkUpkeep(bytes calldata)
external
view
override
returns (bool upkeepNeeded, bytes memory)
{
upkeepNeeded = (
breakerStatus == Status.TRIPPED &&
block.timestamp >= trippedAt + cooldownPeriod
);
}
function performUpkeep(bytes calldata) external override {
if (
breakerStatus == Status.TRIPPED &&
block.timestamp >= trippedAt + cooldownPeriod
) {
breakerStatus = Status.COOLDOWN;
// Governance can then fully reset after review
emit BreakerReset(block.timestamp);
}
}
}
The two-phase approach (TRIPPED → COOLDOWN → ACTIVE) prevents automated full reset without governance review.
Testing Circuit Breakers with Medusa
Circuit breakers are only useful if they actually trip. Use Medusa (Trail of Bits' parallelized fuzzer) to verify:
// Test invariant: breaker must trip when outflow exceeds limit
contract BreakerFuzzTest {
ProtocolWithBreakers protocol;
function fuzz_outflowTripsBreaker(
address asset,
uint256 amount
) public {
// Attempt large withdrawal
try protocol.borrow(asset, amount) {
// If borrow succeeds, outflow must be within limits
assert(
protocol.windowOutflow(asset) <=
protocol.maxOutflowPerWindow(asset)
);
} catch {
// Revert is acceptable — breaker may have tripped
}
}
function fuzz_collateralManipulation(
uint256 donationAmount
) public {
// Simulate donation attack
uint256 valueBefore = protocol.lastCollateralValue(address(this));
// ... donate tokens ...
// Invariant: if value changed >5% in same block, breaker must be tripped
uint256 valueAfter = protocol.lastCollateralValue(address(this));
if (valueBefore > 0) {
uint256 change = (valueAfter - valueBefore) * 10000 / valueBefore;
if (change > 500) {
assert(protocol.breakerStatus() == CircuitBreaker.Status.TRIPPED);
}
}
}
}
Run with: medusa fuzz --workers 8 --timeout 3600
Gas Costs: The Real Numbers
Circuit breaker skeptics always ask about gas. Here's what each check actually costs:
| Check | Additional Gas | % of Typical Borrow TX |
|---|---|---|
| Outflow tracking | ~5,200 (2 SLOADs + 1 SSTORE) | 2.1% |
| Collateral rate-of-change | ~7,800 (3 SLOADs + 2 SSTOREs) | 3.2% |
| Mint ratio verification | ~3,100 (2 SLOADs, no write on pass) | 1.3% |
| Price impact check | ~2,400 (oracle call + math) | 1.0% |
| Combined | ~18,500 | ~7.6% |
Venus lost $3.7M. Solv lost $2.7M. The Aave user lost $50M. A 7.6% gas overhead on every transaction is insurance that pays for itself after preventing a single exploit.
Deployment Checklist
Define invariants first. Before writing any circuit breaker code, list every property that must always be true. If you can't enumerate your invariants, you can't protect them.
Set thresholds conservatively, then tune. Start with tight limits (2% collateral change, 10% outflow per window) and relax based on observed normal behavior.
Test the trip path, not just the happy path. Your fuzzing suite should specifically try to violate invariants and verify the breaker engages.
Implement graceful degradation. A tripped breaker should pause risky operations (borrows, mints) while keeping safe operations (repayments, withdrawals of own funds) available.
Monitor breaker state off-chain. Use OpenZeppelin Defender or a custom monitor to alert your team the instant a breaker trips. Automated response buys you minutes, not hours.
Plan the governance recovery flow. Decide before deployment: who can reset the breaker? Multisig? Timelock? Automated with cooldown? Document it.
Audit the breaker itself. A circuit breaker with a bug is worse than no circuit breaker — it gives false confidence. Treat it as critical-path code.
The Bottom Line
March 2026 proved — again — that static access controls and frontend warnings are insufficient for DeFi security. The protocols that survive the next wave of exploits will be the ones that enforce invariants continuously, not just at function entry.
Circuit breakers aren't exotic. They're engineering discipline applied to money code. The patterns above are battle-tested, gas-efficient, and directly map to the three exploits that just cost the ecosystem $56M in a single week.
Build them. Test them. Deploy them. Or budget for the post-mortem.
This article is part of the DeFi Security Engineering series. Previous entries cover share inflation attacks, transient storage traps, and donation attack mechanics.
Top comments (0)