When a Defi user loses 14 ETH (~ $ 33,000) because of a defective oracle update, who then takes responsibility? If you ask Morpho, Pyth Network and RE7 Labs, the answer is: nobody.
That is exactly what happened in the beginning of March when “Jameis” found a user of a RE7 safe on Morpho-Hun supported by CBETH, liquidated due to a price feed delay between Pyth’s CBETH/USD and ETH/USD-FEEDS. While the ETH price continued to update, Cbeth’s continued to be frozen for almost an hour. The result? A price ratio deformation that caused liquidations, although the Cbeth/ETH ratio never actually varied.
The debt game starts
Faced with a loss of $ 33,000, Jameis turned to the Morpho Governance Forum – where they go through “Chicitybulls” – and the disagreement of Morpho to demand answers. But instead of a resolution, they found themselves caught in a circle of decentralized responsibility:
To paraphrase:
- The attitude of Morpho: we are Oracle -agnostic. Vault curators (RE7) choose their own oracles. We simply offer the infrastructure.
- The attitude of Pyth: our prices were accurate. We are permissionless. Someone (RE7, or even the user) should have performed an extra planner to update the feed.
- The attitude of RE7 Labs: yes, there was a mismatch of timing … but that’s just how push -based oracles work. We will improve our setup next time.
Nobody has claimed direct responsibility. Nobody has offered a reimbursement.
The devil is in the details. This was not an exploit or price manipulation, but rather an architectural failure:
- Pyth’s Push-based model meant that price updates were not automatically synchronized.
- RE7 Labs did not perform an independent planner to ensure that updates remained synchronous.
- Morpho, despite offering the Vault -Listings, does not maintain reliability standards for Oracle -updates -leaves it to the curator.
The liquidation bone saw the distorted price, considered the position under water and carried out the liquidation. That was the game for the 14 ETH of the user.
$ 30,000 is a small amount in the large diagram of Defi, a small tragedy that the stretch leader board will not make. But the incident reflects a problem with much greater consequences: what happens when decentralized responsibility does not mean responsibility?
We all know that the adaging code is law, but what is a minnow of the yields of the farmers to do here?
Decentralization is often sold as a solution for the coverage and unfairness of Tradefi, but this case emphasizes its own set of mistakes. In Tradfi, if a brokerage is wrongly liquidated your position due to incorrect data, you have legal use. In Defi? You sometimes get a forum answers about authorizationless infrastructure.
It seems clear that RE7 -Labs could have implemented guarantees, such as a time stamp verification to prevent liquidations based on old data.
Pyth could also improve the planning guarantees instead of moving the load to integrators.
Morpho can still go on the blacklist of curators through its frontend, so it has a regulatory hand in which safes are mentioned on its platform (or which curators get the boot).
Instead, all parties claim that it is not their problem. RE7 has not returned a request for comment.
A spokesperson for Morpho said in practice that “unless [curators] Trying to deliberately lift, vaults are displayed on the frontend of Morpho, “the platform” completely not -taken and taken [a] Neutral infrastructure. “
Marc Tilling, director of Pyth Data Association, told Blockworks “If the safe manager (or the protocol in some cases) had performed his own planner or an extra planner to activate price updates himself, this problem could have been avoided.”
In the meantime, the user – who apparently has not done anything unusual or unnecessary risky – is hung to dry.
If Defi has to scales further than a niche of electric whales, risk vocation must be provided with some responsibility when users suffer unintended losses. Without accountability mechanisms – whether it concerns insurance, recovery processes or stricter Oracle integration standards – such events will continue to take place.
For now, one thing is clear: “Jameis” lost 14 ETH, and none of the parties gives enough to make it right.
