DeFi User Loses 14 ETH Due to Faulty Oracle Update

In early March, a DeFi user identified as "jameis" experienced a significant loss of 14 ETH, equivalent to approximately $33,000, due to a faulty oracle update. The incident involved a cbETH-backed loan on an Re7 vault through the Morpho platform, which was liquidated because of a price feed delay between Pyth’s cbETH/USD and ETH/USD feeds. Despite ETH’s price updating regularly, cbETH’s price remained stagnant for nearly an hour, leading to a distorted price ratio that triggered the liquidation.

The user sought answers on the Morpho governance forum and Discord, but encountered a cycle of decentralized responsibility-dodging. Morpho, the platform providing the infrastructure, claimed they were oracle-agnostic and that vault curators, such as Re7, choose their own oracles. Pyth Network, the oracle service, asserted that their prices were accurate and that someone should have run an extra scheduler to update the feed. Re7 Labs acknowledged a timing mismatch but attributed it to the nature of push-based oracles, promising improvements for future setups. None of the parties took direct responsibility or offered compensation.

The incident highlights an architectural failure rather than an exploit or price manipulation. Pyth’s push-based model did not automatically synchronize price updates, Re7 Labs did not run an independent scheduler to ensure updates stayed in sync, and Morpho did not enforce reliability standards for oracle updates, leaving it up to the curator. The liquidation bot, seeing the distorted price, deemed the position underwater and executed the liquidation, resulting in the user’s loss of 14 ETH.

While $33,000 may seem like a small sum in the grand scheme of DeFi, the incident underscores a broader issue of accountability in decentralized finance. Decentralization, often touted as a solution to Traditional Finance’s opacity and unfairness, reveals its own set of flaws. In Traditional Finance, users have legal recourse if a brokerage incorrectly liquidates their position due to faulty data. In DeFi, users may only receive forum replies about permissionless infrastructure.

Re7 Labs could have implemented safeguards, such as timestamp verification, to prevent liquidations based on stale data. Pyth could improve its scheduling guarantees instead of shifting the burden onto integrators. Morpho, despite its neutral stance, has the regulatory hand to blacklist curators via its frontend, influencing which vaults get listed on its platform. However, all parties involved claimed it was not their responsibility, leaving the user to bear the loss.

For DeFi to scale beyond a niche of power user whales, risk curation must come with some responsibility when users suffer unintended losses. Without accountability mechanisms, such as insurance, fund recovery processes, or stricter oracle integration standards, similar events will continue to occur. Currently, the user "jameis" lost 14 ETH, and none of the involved parties have shown sufficient concern to rectify the situation.