Users lost 345 ETH as a result of unexpected liquidations in the wstETH E-Mode market caused by a configuration issue in Aave's CAPO Oracle system. A synchronisation issue between the contract's validation rules and stored Oracle parameters was revealed shortly after the Chaos Oracle went on the internet.

Affected users underwent liquidations as a result of an artificially reduced Oracle pricing, despite the protocol not incurring any bad debt. It has been confirmed by Aave DAO service providers that all affected subscribers will receive reimbursement.

• CAPO Oracle System & Its Role in Aave's Risk Management
• The Misconfiguration That Triggered wstETH Liquidations
• How Timestamp & Ratio Desynchronisation Distorted the Oracle Price?
• Immediate Response & Recovery Measures

CAPO Oracle System & Its Role in Aave's Risk Management

Aave uses risk oracles to regularly update important protocol parameters so that it can adjust to shifting market conditions. More than 1,200 payload updates impacting more than 3,000 parameters have been issued by these risk oracles since their inception more than a year ago, supporting the protocol during its highest growth phase and securing hundreds of billions in loans, liquidations, and market activity.

In order to protect against a known Oracle exploit vector, the Correlated Asset Price Oracle (CAPO) mechanism was implemented. This hack includes manipulating collateral valuations inside loan protocols by artificially inflating exchange rate values, frequently through donation assaults.

In order to solve this, CAPO uses actual growth dynamics experienced over time to determine a maximum cap on the exchange rate oracle. It functions as a hybrid oracle.

On-chain smart contracts created by BGD serve as the authoritative source of truth and enforce validation logic, while the off-chain Chaos Oracle computes and sends updates to the maximum exchange rate. The CAPO wstETH smart contracts were activated earlier in 2024, even though the Chaos Oracle went live on the day of the tragic event.

The contract stored a snapshot ratio of about 1.15 during initialisation, which subsequently turned out to be a crucial component of the problem.

The Misconfiguration That Triggered wstETH Liquidations

The Chaos Oracle computed the accurate wstETH/stETH snapshot ratio of roughly 1.2282 at 11:46 UTC. This figure was calculated using the exchange rate that was seen seven days beforehand, which is the reference window that CAPO uses to calculate exchange rate growth.

In most cases, the upper bound for legitimate exchange rate adjustments within the contract is established using this snapshot ratio as the reference point. The upgrade was refused by the contract, nevertheless.

A regulation that restricts the snapshot ratio increase to 3% throughout three days is enforced by the CAPO contract. The new value surpassed the allowed growth limit since the correct ratio has greatly grown in comparison to the stale value held since February 2024.

The Oracle used its preprogrammed fallback process when the right ratio could not be entered. The contract was queried to find the greatest permitted ratio under the current constraint, and that amount was then submitted.

The Oracle successfully filed the contract, which returned a maximum permitted ratio of about 1.19. This backup plan is deliberate.

Submitting the maximum permitted ratio keeps the oracle as close to the actual market exchange rate as feasible while still adhering to contract limits when the prior snapshot ratio is almost accurate. However, in this instance, the capped value that was finally submitted and the actual exchange rate differed significantly due to the out-of-date snapshot ratio.

1/ stETH CAPO Misconfiguration

Today, a misconfiguration on Aave's CAPO oracle caused wstETH E-Mode liquidations, resulting in a loss of 345 ETH.

No bad debt was incurred, and all affected users will be fully reimbursed.

More below.— Omer Goldberg (@omeragoldberg) March 10, 2026