Original author: shushu
原文来源:blockbeats
On April 12, a user of Pac Finance, a lending app on Last, reported a $24 million liquidation on April 11 due to a sudden change in the parameters of the developer's wallet.
Pac Finance allows cryptocurrency holders to deposit funds and earn interest by borrowing and lending capital, and to ensure repayment, borrowers are only allowed to lend a certain percentage of the value of the collateral. This percentage is called the loan-to-value ratio (LTV). According to blockchain data from the Blast network, the Pac Finance developer wallet called a function on its PoolConfigurator-Proxy contract on April 11 at 1:06 AM UTC to set the LTV of ezETH to 60%.
LTVs can be changed by the development team, but are usually only executed after an announcement. However, this parameter change Pac Finance did not make an announcement on official channels, which led to the liquidation of platform users.
After the liquidation event fermented, the Pac Finance team members clarified in the community that it was not that there was no announcement, but that the decision was announced in response to others. He also said that the team had previously explained to the engineer in charge of the contract that the LTV needed to be modified, but the engineer modified the liquidity threshold without communicating with the team, which led to the problem, "We are investigating with several security audit experts such as pacman and zachxbt, and we are also contacting several users who have been affected."
Pac Finance is the first hybrid lending protocol on Blast with both peer-to-peer lending and peer-to-pool lending capabilities. Previously, it became a popular interactive protocol because of the anticipation of airdrops. After this unprovoked liquidation, the community also remembered the founding team's previous project, which also staged a drama event.
In May last year, NFT lending protocol ParaSpace staged an infighting drama, and a number of KOLs issued a warning that there was a conflict within the ParaSpace team and advised users to withdraw their funds as soon as possible. In this turmoil, the "project control" and "team trust" of the founding team of ParaSpace have been questioned to a certain extent, and although the safety of user funds has been subsequently ensured, it has been greatly affected at the level of market public opinion. Since then, ParaSpace has announced a merger and rebranding with Parallel Finance to create ParaX.
Going back to the Pac Finance incident, it is not the first project on Blast to have a fund security issue. As a Layer2 that was born at the end of last year, Blast has produced many early native projects under the rendering of airdrop expectations and the explosive growth of TVL, but at the same time, it has also generated a lot of problems.
At the beginning of March, Orbit Lending, a Blast lending protocol, was also accused by KOLs of having a problem with the liquidation threshold, which stated that 83% was the liquidation threshold, but the actual 80% would be liquidated. However, the project subsequently paid out the damaged users.
During the same period, the Blast ecosystem project Munchables said that it was attacked, and there was a suspected problem with the locking contract, resulting in the theft of 17,400 ETH (worth about $62.3 million). SomaXBT disclosed that Munchables had previously hired an unknown security team, EntersoftTeam, to issue audit reports in order to save audit costs. The team's account profile reads, "We're an award-winning app security company with certified white hat hackers," but the platform has just over a hundred followers.
ZachXBT analyzed that the four different developers hired by the Munchables team were probably the same person. But on the same day, the Munchables attackers returned another 17,000 ETH, much to the community's surprise.
All in all, in the crypto world, security is always a red line issue, and no matter how much financing is obtained, ensuring the safety of user funds is a must for a good project.