Executive Summary
On 10 March 2026, a divergence on the Chainlink wstETH/stETH price feed, governed by the CAPO internal rate cap mechanism (snapshotRatio configuration), drove roughly $26M in liquidations across Aave's CAPO-governed markets. The mechanism was not an exploit of code but of timing: the oracle behaved exactly as configured, and the configuration was the vulnerability.
The same oracle configuration underpins positions held well beyond Aave. This report documents the vector in full and then examines one correlation that, to our knowledge, no public source has recorded.
Methodology & Sources
This analysis was conducted entirely from public and on-chain sources: Aave governance records, Chainlink feed configuration, on-chain transaction data for the affected markets, and Nexus Mutual's published governance forum. Where a figure derives from a governance vote rather than a directly read on-chain position, it is labelled as such. Unverified items are stated explicitly in Open Questions rather than omitted.
Timeline
- 2026-03-10 · T-0wstETH/stETH rate last updated within CAPO snapshotRatio interval; market price begins to drift from the on-chain reported value.
- 2026-03-10 · T+hrsDrift reaches 2.85% (Chaos Labs, ForkLog), exceeding the buffer CAPO's bounded adjustment allows for the stale feed.
- 2026-03-10 · liquidation cascadePositions priced against the stale feed cross liquidation thresholds; ~$26M cleared.
Analysis
CAPO (Correlated-Asset Price Oracle) bounds the rate at which a correlated asset's price may move relative to its reference via an internal rate cap mechanism (snapshotRatio configuration). The protection assumes the snapshotRatio is kept current. When the snapshotRatio lags real market moves, CAPO's bounded adjustment cannot close a gap it never sees.
Any oracle feed endpoint sharing this configuration carries the same attack surface: a rate cap lag within the CAPO snapshotRatio configuration is sufficient to trigger a cascade at scale.
The distinction matters for anyone relying on this feed: the failure is structural and reproducible, not a one-off. Any position whose solvency depends on this configuration carries the same latent exposure.
Cross-Protocol Implications
The same oracle family reaches an entity positioned on both sides of the same risk. Nexus Mutual's governance approved an allocation of 5,160 ETH to the Steakhouse ETH Morpho Vault via NMPIP (forum.nexusmutual.io, November 2025) — a vault operating on the same wstETH/stETH oracle configuration described above.
Nexus is simultaneously an underwriter of protocols in this oracle family and a depositor exposed to it. A deviation event of the kind documented here would, in principle, touch both sides of that balance sheet at once. The depositor side is traceable from public governance records; the underwriter side is held internally by Nexus alone. We document the correlation; we do not claim to quantify the side only they can see.
Open Questions & Unverified
- The 5,160 ETH figure reflects the approved governance allocation, not a live on-chain position read on the date of publication. Actual deployed amount may differ.
- The underwriter-side exposure of Nexus Mutual to this oracle family is not publicly quantifiable and is not estimated here.
- Intermediary Enzyme Vault address routing the Nexus allocation is not independently confirmed in this report.
About this report
Forensic Capital produces independent, source-traceable forensic analysis of DeFi incidents. This report is public. Correspondence regarding methodology or the correlation above is welcome.
forensic-capital.com · Ω
This hash fixes the published version at the stated date. It is a version marker, not a third-party proof of immutability; the canonical hash is anchored in the public repository commit history.