Users of the lending DeFi protocol Pac Finance on the Ethereum Layer-2 (L2) network Blast faced position liquidations totaling $24 million after the project’s wallet administrator modified parameters for Renzo Restaked Ether (ezETH) loans on April 11 without warning. Pac Finance’s team has stated that they have already reached out to affected users and are developing a plan to compensate for losses.
Thank you for letting us know Will. We are aware of the issue and are in contact with the impacted users, actively developing a plan with them to mitigate the issue.
In our effort to adjust the LTV, we tasked a smart contract engineer to make the necessary changes. However, it…
— Pac Finance (@pac_finance) April 11, 2024
Stani Kulechov, founder of Aave, took to social media to highlight the situation and express his concerns.
Random Aave fork on Blast decreased Liquidation Threshold (LT) instead of Loan to Value (LTV) causing $26M worth of unnecessary liquidations.
Fundamental problem with forking code is the lack of in-depth knowledge of the software and the parameters. https://t.co/eTNBlNBoqg
— Stani^ (@StaniKulechov) April 12, 2024
The company explained that, as part of an adjustment to the loan-to-value (LTV) ratio, they instructed a smart contract engineer to make the necessary changes. The current issue arose because this was done without prior notification. To prevent similar situations in the future, the team will introduce a community-managed contract or a contract with temporary locking, as well as a forum for announcements of future updates.
Crypto analyst 0xLoki noted that 93% of the liquidations were carried out by a single address, the owner of which profited approximately 244 ETH (~$854,000).
情况比较简单
0x4883094b78a6ea2A4AED28B864156276D2ACdb3d
这个地址完成了93%的清算,获得净利大概244ETH
资金转入和转出都走的桥,除了部署清算机器人没有别的交互行为 https://t.co/erjjmPd73P
— 0xLoki (@Loki_Zeng) April 12, 2024
In their opinion, the Pac Finance team should investigate who the beneficiary was.
“If the liquidator and the parameter modifier are related, then this is fraud. If not, it’s just an incident,” they noted.
According to on-chain data, the developer’s wallet called a function in the PoolConfigurator-Proxy contract, setting the ezETH LTV at 60%. As a result, borrowers’ positions were automatically liquidated due to violations of collateral rules set in the protocol. Their assets were automatically sold to repay loans in connection with this change.
Recall that in March, an exploit of the gaming web3 platform Munchables on Blast became the largest incident of the month, causing $97 million in damages. The hacker returned all funds without any conditions.