DEV Community

rim dinov
rim dinov

Posted on

How Aave V4’s "Design Choice" Turned Into a $195M Liquidation Deadlock (KelpDAO/rsETH Case)

#ethereum #web3 #security #blockchain

Intro
Two months ago, while auditing Aave V4, I discovered a critical DoS vector in their core math library. I reported it, expecting a fix. The response? "This is intended design. Not a bug."

Fast forward to April 2026: The KelpDAO/rsETH exploit happens. Lazarus Group dumps massive amounts of rsETH into Aave as collateral. When the price crashes, liquidators try to step in, but the protocol hits a wall. The exact wall I warned them about.

The Technical "Feature"
The issue lies in MathUtils.sol and how it handles the mulDivDown function. In Aave V4, the liquidation bonus is dynamic. It uses a formula that calculates the bonus based on the position's Health Factor.

Solidity
// src/spoke/libraries/LiquidationLogic.sol:329
(maxLiquidationBonus - minLiquidationBonus).mulDivDown(deltaHealth, range)
The mulDivDown implementation uses a strict intermediate overflow check in assembly. While "safe" in theory, it’s a ticking time bomb for high-precision LSTs (Liquid Staking Tokens) like rsETH.

Why "Design" Failed Reality
When the position size is massive (like the $293M rsETH position), the intermediate product of (deltaBonus * deltaHealth) exceeds 2
256
−1.

Aave's "design" was to revert on such overflows. But in a liquidation scenario, a revert is a death sentence.

The liquidator calls executeLiquidation.

The contract calculates the bonus.

The math overflows and triggers a revert.

The transaction fails.

The bad debt stays on the books.

The Proof
I’ve published a full Post-Mortem and PoC on my GitHub: rdin777/aave-v4-post-mortem

In the PoC, I simulated the exact conditions of the rsETH crash. The result? Liquidation logic is completely blocked. The protocol "saw" the debt (as my tests on PositionStatusMap confirmed), but its "eyes" were useless because its "hands" (the math) were tied.

Lessons Learned
When a security researcher points to a revert in a critical path (like liquidation), "it's by design" is a dangerous answer. In DeFi, availability is as important as correctness. If your math is too "perfect" to handle extreme market conditions, the protocol fails exactly when it's needed most.

https://github.com/rdin777
https://github.com/rdin777/aave-v4-post-mortem

#blockchain, #security, #ethereum, #solidity

Top comments (0)