TLDR
- March 12 witnessed DeFi’s largest execution loss when a user received roughly $36,000 in AAVE after swapping over $50 million in USDT through Aave’s interface.
- Aave attributed the loss to illiquid markets; CoW Swap’s investigation uncovered multiple infrastructure breakdowns, including outdated gas limits that blocked superior quotes.
- The top-performing solver secured wins in two trading auctions but never executed either transaction, forcing the order through the worst available option.
- Evidence suggests a mempool leak potentially allowed MEV bots to capture approximately $34 million, while another bot secured nearly $10 million through sandwich attack tactics.
- Aave Shield will launch soon, automatically preventing swaps that exceed 25% price impact.
March 12 marked a devastating moment for decentralized finance when an Aave platform user exchanged $50.4 million in aEthUSDT tokens, receiving approximately $36,000 in AAVE tokens. CoW Swap, a decentralized exchange embedded within the Aave interface, processed the transaction.
Saturday, March 15 brought separate post-mortem reports from both organizations. While they align on fundamental facts, their conclusions about the root cause diverge.
According to Aave, insufficient market liquidity represented the primary issue. The transaction moved through a SushiSwap pool containing merely $73,000 in total liquidity during execution.
Before finalizing the swap, the user encountered a warning displaying “High price impact (99.9%)”. They manually checked a box acknowledging potential 100% value loss, which Aave verified through internal audit records.
The user completed the transaction via mobile device despite these alerts. Aave reports the affected funds remain held, with no contact initiated by the user to either organization.
How CoW Swap’s Infrastructure Made Things Worse
CoW Swap’s analysis expanded beyond Aave’s assessment, identifying several system breakdowns that escalated a poor trade into a historic loss.
Three solvers provided responses during the quotation phase. The highest-quality quotes would have delivered between $5 and $6 million in AAVE — representing roughly 90% loss, yet significantly better than the final outcome.
CoW Swap’s quote verification process relied on a hardcoded gas limit of 12 million units. The platform described this as “legacy code predating current gas consumption patterns.” Routes offering better prices failed this verification and received rejection.
A single quote succeeded — from a solver proposing approximately 329 AAVE, about 150 to 200 times inferior to competing options. This quote established the order’s limit price.
Solver E, a different participant, discovered a superior route and claimed victory in two consecutive trading auctions. However, it never broadcast either transaction to the blockchain. Following two execution failures, it ceased bidding. CoW acknowledged their system lacked mechanisms to identify or respond to this failure pattern.
MEV Bots and a Possible Mempool Leak
With only an inferior solver remaining active, conditions favored exploitation. Blockchain data revealed Titan Builder, a block builder, extracted approximately $34 million in ETH from the transaction. A separate MEV bot captured nearly $10 million via sandwich attack methods.
CoW Swap identified evidence pointing toward a potential mempool leak. While the transaction entered through a private channel, Etherscan displayed a tag suggesting it appeared in the public mempool before block inclusion. This investigation continues.
When the partnership expanded in December 2025, CoW Swap’s integration with Aave emphasized MEV-protection features as a key benefit.
Aave Shield is entering deployment phase and will block swaps exceeding 25% price impact as the default setting. CoW Swap confirmed the hardcoded gas limit has received corrections. This swap occurred merely two days following a separate Aave oracle malfunction that caused $26 million in improper liquidations affecting 34 accounts.
