A user in the decentralized finance sector recently experienced a devastating financial mishap, exchanging a significant amount—$50.4 million—of aEthUSDT for aEthAAVE using a widget on the Aave protocol. The end result of this ill-fated swap was a meager return of only $36,000. This substantial loss has raised alarms and opened discussions on the vulnerabilities inherent in current DeFi transactions.
Addressing Potential Flaws and User Mistakes
The transaction occurred on Aave, a well-regarded platform that facilitates lending and borrowing within DeFi. It allows for asset pooling, enabling interest earning or borrowing against collateral tokens. CoW Swap, a decentralized platform that connects with Ethereum, mediated the trade using a sophisticated solver competition to efficiently route transactions.
Before proceeding with the swap, the user disregarded a stark warning of a 99.9% price impact. Although this alert was prominently displayed, ignoring it allowed the transaction to be dangerously exposed to volatile market fluctuations and manipulation attempts.
According to CoW Swap’s analysis, two primary technical flaws were identified. One was an outdated gas limit that blocked better transaction routes. The second issue involved their solver failing to execute the swap on-chain correctly, leaving the transaction prone to less efficient liquidity paths.
What Led to the Transaction Being Exploited?
The swap details were inadvertently exposed on the Ethereum mempool, a space where pending transactions are accessible before confirmation. This made the trade susceptible to MEV (Maximal Extractable Value) bots that manipulate transactions to their advantage.
Due to technical barriers, the swap defaulted through a SushiSwap pool with insufficient liquidity for a transaction of that magnitude, causing enormous slippage. As a result, the user’s substantial loss became inevitable.
A prominent MEV bot executed a sandwich attack, purchasing AAVE prior to the user’s transaction to inflate prices, selling after completion to secure profit. This manipulation netted the bot approximately $9.9 million.
Utilizing Titan Builder, a prominent block-building service, the bot orchestrated precise transaction timing to capitalize on this exploit further. In doing so, Titan Builder extracted another $34 million in ETH by manipulating transaction order.
In response to this event, both Aave and CoW Swap have committed to improvements. CoW Swap is upgrading its gas management settings, while Aave is implementing the “Aave Shield” update to automatically block swaps with more than a 25% price impact.
“We are committed to identifying and addressing system weaknesses to prevent user losses moving forward,” stated CoW Swap’s development team.
Actions taken by these platforms reinforce the necessity of constant vigilance and protocol enhancements in the rapidly evolving DeFi landscape, ensuring that user confidence and transaction integrity are prioritized.
