On April 12, users of Pac Finance, a lending app on Blast, said they suffered a $24 million liquidation on April 11 because the developer wallet suddenly changed parameters.
Pac Finance allows cryptocurrency holders to deposit funds and earn interest by lending capital. To ensure repayment, borrowers are only allowed to lend a certain percentage of the value of the collateral. This percentage is called the "loan-to-value ratio" (LTV). According to blockchain data from the Blast network, the Pac Finance developer wallet called a function on its PoolConfigurator-Proxy contract at 1:06 a.m. UTC on April 11, setting the LTV of ezETH to 60%.
LTV can be changed by the development team, but it is usually only executed after an announcement. However, Pac Finance did not release an announcement on the official channel for this parameter change, which led to the liquidation of platform users.
After the liquidation incident fermented, Pac Finance team members clarified in the community that it was not that they did not release an announcement, but announced the decision when responding to others. They also said that the team had previously explained to the engineer in charge of the contract the task of modifying LTV, but the engineer arbitrarily modified the liquidity threshold without communicating with the team, which led to this problem. "We are investigating with several security audit experts such as pacman and zachxbt, and are contacting several users affected."
Pac Finance is the first hybrid lending protocol on Blast, with both peer-to-peer lending and peer-to-pool lending functions. Previously, it became a popular interactive protocol due to the expectation of airdrops. After the unexplained liquidation incident, the community also remembered the previous projects of the founding team, and a drama incident was also staged.
Last May, the NFT lending protocol ParaSpace staged an internal fight. Many KOLs issued articles to warn that there were conflicts within the ParaSpace team and suggested that users withdraw their funds as soon as possible. This matter quickly fermented in the community, and a large number of users withdrew their funds from ParaSpace out of panic at high gas prices. In this storm, the "project control" and "team trust" of the ParaSpace founding team were questioned to a certain extent. Although the safety of user funds was subsequently ensured, it was greatly affected at the market level. After that, ParaSpace announced a merger and rebranding with Parallel Finance to create ParaX.
Back to the Pac Finance incident, it is not the first project on Blast to have fund security issues. Blast is a Layer2 that came out at the end of last year. Under the expectations of airdrops and the explosive growth of TVL, many early native projects have been generated on it, but at the same time, many problems have also arisen.
In early March, Blast's lending agreement Orbit Lending was also accused by KOLs of having problems with the liquidation threshold. The agreement stated that 83% was the liquidation threshold, but in reality, it would be liquidated if it reached 80%. However, the project subsequently compensated the affected users.
At the same time, the Blast ecological project Munchables said it was attacked and there were suspected problems with the locking contract, resulting in the theft of 17,400 ETH (worth about 62.3 million US dollars). SomaXBT disclosed that Munchables had previously hired an unknown security team EntersoftTeam to issue an audit report in order to save audit fees. The team's account profile is "We are an award-winning application security company with certified white hat hackers", but the platform has only more than a hundred followers.
After ZachXBT analysis, the four different developers hired by the Munchables team may be the same person. But on the same day, the Munchables attacker returned 17,000 ETH, which puzzled the community.
In short, in the crypto world, security is always a red line issue. No matter how much financing is obtained, ensuring the security of user funds is a must for a good project.