Blast-based lending protocol Pac Finance confirmed that its liquidation threshold was changed unexpectedly without prior information to its team, resulting in significant user losses.
This issue is representative of the ongoing challenges faced by DeFi protocols on the Ethereum layer-2 network, Blast. Last month, Munchables, a web3 game operating on this network, suffered a loss of over $62 million due to an attack. Fortunately, the hacker returned the stolen funds voluntarily.
$26 million liquidation
On April 11, Will Sheehan, the founder of Parsec Finance, reported a “giant swath of ezETH Liquidations on Pac Finance.”
His finding was further corroborated by Kydo, an EigenLabs developer, who stated:
“An EOA wallet (0xae), presumably controlled by Pac_finance, updated the liquidation threshold (allegedly) unannounced, without a timelock. $26 million got liquidated within 6 seconds after the update.”
Pac Finance allows users to earn interest by depositing their crypto holdings. To safeguard against default, borrowers are restricted to loans based on a set percentage of their collateral, known as the “loan-to-value ratio” (LTV). Adjustments to the LTV are infrequent and typically announced by the development team before implementation.
However, on-chain data shows that a developer wallet changed the LTV for Renzo and restaked ETH (ezETH) to 60%. That change meant several borrowers did not meet the collateral rules, hence the liquidation.
Notably, most of the liquidation comes from one user who lost $23.9 million.
Pac Finance response
Pac Finance stated that it is in contact with affected users to develop a mitigation plan. The team also said it is working to prevent a repeat of the incident by setting up a framework where users are notified of every decision before it happens.
The platform added:
“In our effort to adjust the LTV, we tasked a smart contract engineer to make the necessary changes. However, it was discovered that the liquidation threshold was altered unexpectedly without prior notification to our team, leading to the current issue.”
Aave founder Stani Kulechov commented on the situation, attributing the issue to a lack of knowledge of the codebase. Kulechov referred to Pac Finance as a fork of Aave, suggesting that the project uses Aave code as the basis of its platform.
“Random Aave fork on Blast decreased Liquidation Threshold (LT) instead of Loan to Value (LTV) causing $26M worth of unnecessary liquidations.
Fundamental problem with forking code is the lack of in-depth knowledge of the software and the parameters.”
Mentioned in this article