- A code change at Aave fork Pac Finance has cost users $26 million.
- Aave creator blamed the incident on a "lack of in-depth knowledge."
Users of Blast-based protocol Pac Finance were left reeling on Thursday after a sudden code change triggered millions in losses, pointing to a problem in software code that can be updated on DeFi platforms.
At around 1 am London time on April 11, someone with access to Pac Finance’s admin wallet upgraded the protocol’s code, decreasing the threshold at which the protocol liquidates users’ collateral.
Within seconds of the change, more than a dozen traders who were using Pac Finance to “leverage farm” Renzo’s ezETH token had their collateral liquidated, causing $26 million in losses.
Giant swath of ezETH Liquidations on pac finance last night on blast, someone got tagged for $24m pic.twitter.com/uzqRX0UAUD
— Will Sheehan (@wilburforce_) April 11, 2024
Leverage farming is a risky strategy where users loop deposits — usually Ether liquid staking and restaking tokens — to increase the yield earned on them.
“This was a result of the liquidation threshold being altered unexpectedly without prior notification to our team,” Pac Finance said on X.
“Going forward, we will set up a governance contract/timelock and forum for all future upgrades to ensure that discussions are planned ahead of time and this does not happen again.”
The incident highlights the risk of upgradable code in DeFi protocols. If a protocol chooses to keep its code upgradable, those with permission can change the rules that govern the protocol at any time — often without warning.
Not all DeFi protocols allow for code upgrades. Uniswap, Curve Finance, and many other protocols make their code immutable, meaning once it’s deployed on a blockchain it cannot be retroactively changed.
“Designing a lending protocol that allows an [externally owned account] to arbitrarily alter the liquidation threshold without a timelock isn’t just poor design; it’s irresponsible,” Kydo, a researcher at restaking protocol EigenLayer, wrote on X.
The liquidations, as well as withdrawals from concerned users, have pushed Pac Finance’s total value locked, or TVL, down over 50%.
Pac Finance didn’t immediately respond to a request for comment.
A ‘fundamental problem’
Pac Finance is a fork of Aave, the biggest lending protocol in DeFi with $11.2 billion in deposits.
A fork is where a developer team uses the open-source code from an existing DeFi protocol to launch a similar protocol — often on a different blockchain or with minor changes.
Stani Kulechov, founder and CEO of Avara, the company behind the Aave protocol, blamed the incident on Pac Finance developers not understanding the code base they used to create the protocol.
“Fundamental problem with forking code is the lack of in-depth knowledge of the software and the parameters,” Kulechov said in an X post.
And Pac Finance isn’t the first time forks have caused issues in DeFi.
Several forks of lending protocol Compound have been hacked because of code vulnerabilities, resulting in millions of dollars in losses. Onyx protocol, which was exploited in November for $2.1 million, is the most recent victim.
Although the vulnerabilities had been accounted for and fixed in Compound, those that forked the protocol’s code were not aware of the vulnerabilities.
Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.