Pac Finance, a crypto lending protocol built on the Blast network, unexpectedly changed the loan-to-value (LTV) ratio and liquidation parameters, leading to cascading liquidations in a matter of six seconds.
The incident was flagged on X by Will Sheehan, founder of blockchain data firm Parsec, who shared data on the $26 million liquidations of liquid staking token ezETH, noting that one user in particular lost nearly $24 million.
According to analysis from EigenLabs developer “0xkydo,” an externally owned address (EOA) wallet, presumably controlled by Pac Finance, updated the liquidation threshold without any prior warning and did not include a timelock.
We should be grateful that the incident was limited to only a 26m liquidation 🙏
Please, LRT protocols, discourage your users from participating in these protocols⛔️
So what happened?
$26m got liquidated on @pac_finance , a lending protocol on blast.
An EOA wallet (0xae),… https://t.co/76v0tekNmr
— kydo.eth 🦇🔊 (@0xkydo) April 11, 2024
“Designing a lending protocol that allows an EOA to arbitrarily alter the liquidation threshold without a timelock isn’t just poor design; it’s irresponsible,” said 0xkydo.
The Pac Finance team responded to Sheehan, saying they were aware of the issue and were in contact with the impacted users to develop a plan to mitigate it.
“In our effort to adjust the LTV, we tasked a smart contract engineer to make the necessary changes.However, it was discovered that the liquidation threshold was altered unexpectedly without prior notification to our team, leading to the current issue,” they said.
The team said that going forward, they would implement a governance contract or timelock and forum for future upgrades to ensure that discussions are planned ahead of time.