Security

Lending Protocol Moonwell Exploited via Faulty Oracle Price Feed Manipulation

A critical oracle feed error allowed an attacker to leverage flash loans, artificially inflating collateral value and draining $1 million from Moonwell lending pools.
November 11, 20253 min

Gleaming white toroidal structures and a satellite dish dominate a dark, futuristic space, interlaced with streams of glowing blue binary code. This imagery evokes the complex architecture of decentralized autonomous organizations DAOs and their integration with advanced satellite networks for global data dissemination
The image displays intricate transparent blue structures, partially adorned with granular white frost, encapsulating clusters of vibrant blue granular material. A smooth white sphere is positioned on one of the frosted blue elements

Briefing

The Moonwell decentralized lending protocol on the Base and Optimism networks was compromised by a sophisticated oracle manipulation attack on November 4, 2025. This systemic failure allowed a threat actor to exploit a faulty off-chain price feed, enabling the borrowing of substantial assets against artificially inflated collateral. The attack vector, executed via a flash loan and repeated transactions, resulted in a confirmed loss of approximately $1 million in Ether and liquid staking derivatives.

The image displays smooth, glossy, intertwined abstract forms rendered in a palette of white, light blue, dark blue, and silver, set against a soft grey background. These dynamic, flowing shapes create a sense of interconnectedness and layered complexity

Context

The prevailing architectural risk in DeFi lending remains the reliance on external data feeds for collateral valuation, particularly for newly deployed or complex assets like liquid staking derivatives. Despite multiple security audits, protocols often fail to implement robust, multi-source oracle validation mechanisms or sufficient heartbeat updates, leaving a critical attack surface open to price manipulation and flash loan-enabled arbitrage. This class of exploit is a known, persistent weakness in the lending sector.

A detailed close-up showcases a high-tech, modular hardware device, predominantly in silver-grey and vibrant blue. The right side prominently features a multi-ringed lens or sensor array, while the left reveals intricate mechanical components and a translucent blue element

Analysis

The attack vector targeted a malfunctioning off-chain oracle providing the rsETH/ETH price feed, which incorrectly reported the price of wrapped restaked ETH ( wrstETH ) at a massive overvaluation of approximately $5.8 million per token. The attacker initiated a flash loan to deposit a minimal amount of wrstETH (e.g. 0.02 wrstETH ), which the protocol’s lending contract, relying on the faulty oracle, incorrectly valued as sufficient collateral.

This allowed the actor to repeatedly borrow a disproportionate amount of assets, specifically wstETH , against the artificially inflated collateral value, effectively draining the liquidity pools on both Base and Optimism deployments. The transactions were likely executed by a Maximum Extractable Value (MEV) bot, exploiting the price discrepancy immediately.

A polished metallic object, featuring multiple parallel blades and geometric facets, protrudes from a layer of fine white foam. Bright blue, irregularly shaped crystalline structures are scattered beneath and around the foamy surface

Parameters

  • Total Loss → $1 Million → The approximate value of 295 ETH and other assets drained from the protocol.
  • Vulnerability TypeOracle Manipulation → Exploit of a faulty rsETH/ETH price feed for collateral valuation.
  • Exploited Asset → Wrapped Restaked ETH ( wrstETH ) → The token whose price was artificially inflated by the faulty oracle to enable the over-collateralized loan.
  • Chains Affected → Base and Optimism → The Layer 2 networks where the vulnerable lending contracts were deployed.

The image displays several blue and clear crystalline forms and rough blue rocks, arranged on a textured white surface resembling snow, with a white fabric draped over one rock. A reflective foreground mirrors the scene, set against a soft blue background

Outlook

Immediate mitigation requires all lending protocols to review and harden their oracle integration logic, prioritizing decentralized, time-weighted average price (TWAP) mechanisms over single-source feeds, especially for volatile or low-liquidity assets. This incident will accelerate the adoption of real-time risk monitoring systems to detect and pause anomalous collateral-to-debt ratios instantly, preventing the compounding effect of repeated flash loan transactions. The second-order effect is a renewed focus on the security of liquid staking derivatives as collateral, given their complex price derivation logic and the critical need for a robust oracle layer.

An abstract composition displays translucent white and deep indigo forms intricately intertwined, enveloping a bright, flowing cyan core. A small, clear spherical element rests on the left, interacting with the blue streams

Verdict

This oracle manipulation attack confirms that external data dependency remains the single most critical and under-mitigated systemic risk in the entire decentralized lending landscape.

Oracle manipulation, flash loan attack, price feed exploit, lending protocol security, smart contract vulnerability, decentralized finance risk, collateral valuation error, layer two network, Base network exploit, Optimism network, on-chain arbitrage, restaking token, liquid staking derivative Signal Acquired from → coingabbar.com

Micro Crypto News Feeds

liquid staking derivatives

Definition ∞ Liquid Staking Derivatives (LSDs) are tokenized representations of staked cryptocurrencies, allowing users to retain liquidity while participating in proof-of-stake network validation.

collateral valuation

Definition ∞ Collateral valuation is the process of determining the monetary worth of assets pledged to secure a loan or other financial obligation within decentralized finance protocols.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

collateral

Definition ∞ Collateral refers to an asset pledged by a borrower to a lender as security for a loan.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

oracle manipulation

Oracle Manipulation ∞ is a type of attack where the data provided by a blockchain oracle is deliberately falsified or corrupted.

price

Definition ∞ Price represents the monetary value assigned to an asset or service in exchange for other goods or services.

lending

Definition ∞ Lending in the digital asset space involves the provision of cryptocurrencies to borrowers in exchange for interest payments.

staking derivatives

Definition ∞ Staking derivatives are liquid tokens that represent staked assets on a proof-of-stake blockchain, allowing users to maintain liquidity while earning staking rewards.

oracle manipulation attack

Definition ∞ An Oracle Manipulation Attack involves deliberately falsifying or distorting external data feeds that supply information to smart contracts on a blockchain.

Tags:

Tags: