Skip to main content
Security

Lending Protocol Moonwell Drained by Oracle Glitch Collateral Mispricing Attack

A Chainlink oracle glitch mispriced wrstETH collateral, enabling a $1M over-borrowing exploit against the Moonwell lending protocol.
November 25, 20253 min

The image displays granular blue and white material flowing through transparent, curved channels, interacting with metallic components and a clear sphere. A mechanical claw-like structure holds a white disc, while a thin rod with a small sphere extends over the white granular substance
A sophisticated mechanical component, predominantly silver and dark blue, is depicted immersed in a dynamic mass of translucent blue bubbles. The central element is a distinct silver square module with intricate concentric circles, reminiscent of a cryptographic primitive or a secure oracle interface

Briefing

The Moonwell lending protocol on Base was compromised in a sophisticated oracle manipulation attack, exploiting a temporary mispricing of the wrstETH collateral asset. This vulnerability allowed the attacker to deposit a minimal amount of the token, which the compromised oracle valued at a grossly inflated price, enabling a massive, under-collateralized loan withdrawal. The immediate consequence was the draining of the protocol’s liquidity, leading to an approximate loss of $1 million in assets before the system could be paused.

A polished metallic circular component, resembling a secure element, rests centrally on a textured, light-grey substrate, likely a flexible circuit or data ribbon. This assembly is set within a vibrant, translucent blue environment, exhibiting dynamic, reflective contours

Context

Lending protocols, by design, rely on external price oracles to determine collateral value and manage liquidation risks, creating a critical external dependency and a known attack surface. The prevailing risk was that a momentary lapse or glitch in a trusted oracle’s price feed could be immediately exploited by an attacker executing rapid, single-block transactions. This incident highlights the inherent fragility of relying on external infrastructure for core financial logic, especially following the protocol’s prior history of security concerns and the cancellation of its bug bounty program.

A sleek, metallic, angular structure with transparent elements is prominently featured, surrounded and partially embedded in a vibrant, textured cloud of blue crystalline particles. The object rests on a subtly reflective surface against a soft grey gradient background, emphasizing its futuristic and intricate design

Analysis

The exploit was a classic collateral manipulation attack executed via a flash loan. The attacker first acquired a small amount of wrstETH and then leveraged a temporary Chainlink oracle malfunction that reported an exponentially inflated price for the token. By depositing a tiny amount of this now-overvalued wrstETH as collateral, the attacker was able to borrow a disproportionately large amount of other assets, specifically over 20 wstETH. This process was repeated across multiple transactions before the mispricing was corrected, successfully draining the lending pool based on a flawed, temporary system state.

A close-up showcases a translucent blue mechanical component, featuring a prominent circular aperture with a white inner ring, set against a soft grey background. Internal structures are visible through the clear material, illuminated by a subtle blue light, suggesting a sophisticated, high-precision device

Parameters

  • Key Metric ∞ $1,000,000 ∞ Total estimated value of assets lost to the attacker’s over-borrowing scheme.
  • Attack Vector ∞ Oracle Mispricing ∞ The specific vulnerability that incorrectly valued 0.02 wrstETH at $5.8 million.
  • Affected Asset ∞ wrstETH ∞ The wrapped staked Ether derivative that was temporarily mispriced by the external feed.
  • Blockchain ∞ Base Layer 2 ∞ The specific network where the Moonwell protocol was deployed and exploited.

A white spherical module with a clear lens is positioned centrally, surrounded by numerous blue, faceted crystal-like structures. The sphere has segmented panels with glowing blue lines, while the blue crystals reflect light, creating a sense of depth and complexity

Outlook

Immediate mitigation requires all lending protocols to implement robust, multi-layered oracle validation checks, including time-weighted average prices (TWAPs) and circuit breakers, to prevent single-point failures. The primary second-order effect is a renewed focus on the security of wrapped staking derivatives and the systemic risk they pose when used as collateral. This incident will likely establish a new security best practice mandating internal sanity checks on collateral valuation that flag and reject extreme, non-market-based price deviations from external feeds.

A futuristic, intricate blue and silver metallic structure, resembling a complex blockchain node, stands against a gradient background. Its multiple arms, detailed with geometric patterns, are partially covered in granular white particles, evoking cryptographic hashing outputs or cold storage elements

Verdict

The Moonwell exploit serves as a critical, high-fidelity reminder that external oracle dependencies remain the most vulnerable systemic vector for immediate and catastrophic lending protocol failure.

oracle price feed, collateral valuation error, lending protocol exploit, flash loan attack, asset price manipulation, smart contract logic, decentralized finance risk, over-borrowing vulnerability, base chain incident, wrapped staked token, external data dependency, systemic risk factor, liquidation mechanism flaw, price feed dependency, cross chain vulnerability Signal Acquired from ∞ coingabbar.com

Micro Crypto News Feeds

lending protocol

Definition ∞ A lending protocol is a decentralized application that facilitates the borrowing and lending of digital assets without intermediaries.

liquidation

Definition ∞ Liquidation is the process of converting an asset into cash.

chainlink oracle

Definition ∞ A Chainlink oracle is a decentralized service that provides external data to blockchain-based smart contracts.

over-borrowing

Definition ∞ Over-borrowing describes the act of taking on excessive debt relative to one's ability to repay or the value of one's collateral.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

asset

Definition ∞ An asset is something of value that is owned.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

collateral valuation

Definition ∞ Collateral valuation is the process of determining the monetary worth of assets pledged to secure a loan or other financial obligation within decentralized finance protocols.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

Tags:

Tags: