[Direct To AIP] wstETH CAPO Oracle Incident User Reimbursement

[Direct To AIP] wstETH CAPO Oracle Incident User Reimbursement

Author: TokenLogic
Created: 2026-03-11

Summary

This ARFC proposes the Aave DAO refund users who were erroneously liquidated during the wstETH CAPO oracle misconfiguration incident on Ethereum Core and Prime instances. The total refund amounts to 512.19 ETH, with a net cost to the DAO of 357.56 ETH after recoveries, a figure that should decrease as more recoveries are processed.

Motivation

A configuration misalignment between the snapshotRatio and snapshotTimestamp parameters in the wstETH CAPO risk oracle caused the reported wstETH/stETH exchange rate cap to fall approximately 2.85% below the actual market rate. This triggered erroneous liquidations across 34 accounts on the Ethereum Core and Prime instances, totaling ~10,938 wstETH liquidated.

As detailed in the Post-Mortem, the root cause was a mismatch between two interdependent Oracle parameters, snapshotRatio and snapshotTimestamp. The issue was promptly identified and resolved through Risk Steward intervention.

The affected users bear no responsibility for these liquidations, which were the direct result of a protocol-level configuration error. Making these users whole is a straightforward decision for the DAO and reinforces the trust that underpins Aave’s position as the leading lending protocol.

Loss Breakdown

Recovery efforts remain ongoing. The DAO is actively pursuing additional funds from builders involved in the incident. Should further recoveries materialize, updates will be posted as comments on this ARFC. For the sake of speed and making affected users whole without delay, these potential future recoveries are not factored into this proposal, they would be a welcome bonus that further reduces the DAO’s net cost.

Specification

Create allowance on the Aave Ethereum Collector for the AFC to distribute refunds to affected users:

• Asset: WETH 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2
• Amount: 513.19 ETH
• Spender: AFC 0x22740deBa78d5a0c24C58C740e3715ec29de1bFa
• Method: approve() on the Aave Ethereum Collector

Upon AIP execution, the AFC will distribute the appropriate refund amount to each affected user address. A detailed per-user breakdown will be included in the AIP payload.

Next Steps

1. Collect community feedback
2. Publish AIP with on-chain payload
3. AFC executes refund distributions upon AIP execution

Disclosure

TokenLogic is an active service provider to the Aave DAO, the beneficiary of stream 100072 and the KPI as outlined in this publication. The scope of this engagement is available via this forum proposal.

TokenLogic supports and maintains an independent delegate voting platform within the Aave community.

TokenLogic and associated entities have no undisclosed material conflicts of interest at the time of submission.

Copyright

Copyright and related rights waived via CC0.

I fully support reimbursing the affected users. Aave’s reputation as the premier lending protocol in DeFi is built on trust, and making users whole after an operational error is absolutely the right thing to do. The users should not pay the price for this.

However, moving forward with a Direct-to-AIP to drain the DAO Treasury before answering the fundamental accountability questions raised in the post-mortem sets a dangerous precedent.

If the Aave DAO automatically steps in as a bailout fund (‘Papa DAO’) every time a highly-paid Service Provider (SP) makes a human or configuration error, we are creating a massive moral hazard. If the Treasury always foots the bill for operational mistakes, SPs have zero financial incentive to implement rigorous, zero-defect QA processes. Technical and human rigor will not improve if there are no consequences for failing to maintain it.

I will support this reimbursement so our users are protected immediately, but I strongly urge the community and the delegates to separate user reimbursement from DAO liability.

Therefore, I have two demands before this moves to an on-chain vote:

1. Acknowledgment of the Open Questions: We still have not received clear answers regarding who signed off on this flawed configuration and why our simulation pipelines failed to catch a 2.85% misalignment. We cannot vote on funding without understanding the failure.

2. SP Reimbursement Commitment: The DAO should front the money to the users now, but this must be paired with a formal commitment that the responsible Service Provider(s) will reimburse the Aave Treasury for this exact amount. This can be done via direct repayment or proportional deductions from their active funding streams.

‘Skin in the game’ cannot just be a buzzword used during budget approvals; it must be enforced when operational oversights cost the protocol money. Let’s pay the users, but let’s also hold our vendors accountable.

Update on the recovery effort: @bgdlabs successfully negotiated a partial return from one of the searchers involved. A total of 41.62 WETH was recovered, bringing the net cost to the DAO down to 316.94 WETH.​​​​​​​​​​​​​​​​

Why is this a a direct-to-AIP? On what grounds this qualifies as such? Is there a precedent? Does this falls within the scope of a past ARFC that enables direct-to-AIP treatment for this situation?

If yes, move along.
If not – which wouldn’t be surprising – why is @TokenLogic making this choice? What is TL’s motivation in fast-forwarding this through governance? I can imagine this has been discussed among SPs, but any close-doors agreement does not change the fact that TL is owning it. Therefore, you should be able to provide an answer.

It is a slippery slope to twist governance processes, especially when DAO’s funds are being affected. Governance should be held to higher standards, and TL as well. The request sounds reasonable, the means or the format does not provided there are no successful answers to the above.