DeFi User Loses $50M in Crypto Swap Gone Wrong
A crypto user has lost millions during a crypto swap on the decentralized finance protocol Aave, with a Maximal Extractable Value, or MEV, bot also front-running the transaction to make almost $10 million.
A recently funded wallet from Binance containing $50.4 million USDt (USDT) executed a swap via decentralized exchange aggregator CoW Protocol and the SushiSwap DEX on Thursday, aiming to convert the full amount into the Aave (AAVE) token.
However, the wallet only received 327 AAVE tokens valued at approximately $36,000, according to Etherscan.
The result was an almost total loss as the user paid around $154,000 per AAVE, compared to its market price of around $114.
Adding to the loss was a MEV bot that did a “sandwich attack” on the user. MEV bots scan pending blockchain transactions, and in this case, targeted the large incoming AAVE order to inflate the price of the token ahead of the order to profit.
The bot front-ran the transaction by flash-borrowing $29 million wrapped Ether (ETH) tokens from Morpho to drive up the price of AAVE ahead of the user’s transaction with a purchase on Bancor. It then sold the inflated tokens on SushiSwap for a $9.9 million profit.
User ignored slippage warnings: Aave
Automated market makers, such as SushiSwap, use an automated pricing formula that adjusts slippage, the intended and actual price of a trade, depending on the size of the trading pool and impending trades.
Aave founder Stani Kulechov posted to X that the protocol interface warned the user about the “extraordinary slippage” due to the “unusually large size of the single order.”
“The user confirmed the warning on their mobile device and proceeded with the swap, accepting the high slippage, which ultimately resulted in receiving only 324 AAVE in return,” he said.
Related: Vitalik Buterin proposes solutions for Ethereum’s MEV problem
CoW DAO said on X that “despite clear warnings that showed the user they would lose nearly all of the value of their transaction, and despite needing to explicitly opt into the trade after seeing the warning, the user chose to proceed with their swap.”
“No DEX, DEX aggregator, public liquidity pool, or private liquidity pool (or combination thereof) would have been able to fill this trade at anywhere near a reasonable price.”
CoW DAO said that trades like this “show that DeFi UX still isn’t where it needs to be to protect all users,” adding that it would refund any protocol fees associated with the transaction.
Aave’s Kulechov said it sympathized with the user and would attempt to contact them to return $600,000 in fees it collected from the transaction.
“The key takeaway is that while DeFi should remain open and permissionless, allowing users to perform transactions freely, there are additional guardrails the industry can build to better protect users.”
Magazine: All 21 million Bitcoin is at risk from quantum computers
