Launched on the model of Aave, the Pac Finance landing protocol based on the Blast L2 solution faced unexpected liquidations of user positions worth $26 million.
Random Aave fork on Blast decreased Liquidation Threshold (LT) instead of Loan to Value (LTV) causing $26M worth of unnecessary liquidations.
Fundamental problem with forking code is the lack of in-depth knowledge of the software and the parameters. https://t.co/eTNBlNBoqg
"The ill—considered fork of Aave on Blast lowered the liquidation threshold (LT) instead of the ratio of the loan amount to the collateral value (LTV), which led to the unjustified closure of positions by $ 26 million. The fundamental problem of using the code is the lack of fundamental knowledge about the software and its parameters," commented Avara founder and CEO Stani Kulechov.
The Pac Finance team said it was aware of the incident and was "in contact with the affected users."
Thank you for letting us know Will. We are aware of the issue and are in contact with the impacted users, actively developing a plan with them to mitigate the issue.
In our effort to adjust the LTV, we tasked a smart contract engineer to make the necessary changes. However, it…
"In an attempt to adjust the LTV, we instructed the smart contract engineer to make the necessary changes. However, we discovered that the liquidation threshold was unexpectedly changed without our knowledge, which led to the current problem," the developers admitted.
According to them, in the future they intend to implement a contract for managing limits and a forum to discuss all future updates to ensure that they are planned.
A cryptanalyst under the nickname 0xLoki noticed that 93% of the liquidations were performed by one address, the owner of which made a profit of about 244 ETH (~$854,000).
In his opinion, the Pac Finance team should find out who turned out to be the beneficiary.
"If the liquidator and the parameter modifier are related, then this is a scam. If not, it's just an incident," he said.
Recall that in March, the exploit of the Munchables gaming Web3 platform on Blast turned out to be the largest incident in a month with damage of $97 million. The hacker returned all the funds unconditionally.