Skip to main content
Security

Lending Protocol Moonwell Exploited via Faulty Oracle Price Feed Manipulation

A critical oracle feed error allowed an attacker to leverage flash loans, artificially inflating collateral value and draining $1 million from Moonwell lending pools.
November 11, 20253 min

A close-up view shows a grey, structured container partially filled with a vibrant blue liquid, featuring numerous white bubbles and a clear, submerged circular object. The dynamic composition highlights an active process occurring within a contained system
The image presents a detailed view of a high-tech apparatus featuring metallic and translucent blue elements, with clear blue water actively splashing and flowing around its intricate parts. Bright blue light glows from within the mechanism, emphasizing its dynamic and complex internal workings

Briefing

The Moonwell decentralized lending protocol on the Base and Optimism networks was compromised by a sophisticated oracle manipulation attack on November 4, 2025. This systemic failure allowed a threat actor to exploit a faulty off-chain price feed, enabling the borrowing of substantial assets against artificially inflated collateral. The attack vector, executed via a flash loan and repeated transactions, resulted in a confirmed loss of approximately $1 million in Ether and liquid staking derivatives.

The image displays a sophisticated modular mechanism featuring interconnected white central components and dark blue solar panel arrays. Intricate blue textured elements surround the metallic joints, contributing to the futuristic and functional aesthetic of the system

Context

The prevailing architectural risk in DeFi lending remains the reliance on external data feeds for collateral valuation, particularly for newly deployed or complex assets like liquid staking derivatives. Despite multiple security audits, protocols often fail to implement robust, multi-source oracle validation mechanisms or sufficient heartbeat updates, leaving a critical attack surface open to price manipulation and flash loan-enabled arbitrage. This class of exploit is a known, persistent weakness in the lending sector.

A luminous blue faceted crystal stands prominently amidst soft white cloud-like textures. A translucent blue shard is partially visible on the left, also embedded in the ethereal substance

Analysis

The attack vector targeted a malfunctioning off-chain oracle providing the rsETH/ETH price feed, which incorrectly reported the price of wrapped restaked ETH ( wrstETH ) at a massive overvaluation of approximately $5.8 million per token. The attacker initiated a flash loan to deposit a minimal amount of wrstETH (e.g. 0.02 wrstETH ), which the protocol’s lending contract, relying on the faulty oracle, incorrectly valued as sufficient collateral.

This allowed the actor to repeatedly borrow a disproportionate amount of assets, specifically wstETH , against the artificially inflated collateral value, effectively draining the liquidity pools on both Base and Optimism deployments. The transactions were likely executed by a Maximum Extractable Value (MEV) bot, exploiting the price discrepancy immediately.

Two intricately designed metallic gears, featuring prominent splined teeth, are captured in a dynamic close-up. A luminous, translucent blue liquid actively flows around and through their engaging surfaces, creating a sense of constant motion and interaction, highlighting the precision of their connection

Parameters

  • Total Loss ∞ $1 Million ∞ The approximate value of 295 ETH and other assets drained from the protocol.
  • Vulnerability TypeOracle Manipulation ∞ Exploit of a faulty rsETH/ETH price feed for collateral valuation.
  • Exploited Asset ∞ Wrapped Restaked ETH ( wrstETH ) ∞ The token whose price was artificially inflated by the faulty oracle to enable the over-collateralized loan.
  • Chains Affected ∞ Base and Optimism ∞ The Layer 2 networks where the vulnerable lending contracts were deployed.

A sleek white modular device emits a vivid blue, crystalline stream onto a grid of dark blue circuit boards. Scattered blue fragments also rest upon the circuit panels, extending from the device's output

Outlook

Immediate mitigation requires all lending protocols to review and harden their oracle integration logic, prioritizing decentralized, time-weighted average price (TWAP) mechanisms over single-source feeds, especially for volatile or low-liquidity assets. This incident will accelerate the adoption of real-time risk monitoring systems to detect and pause anomalous collateral-to-debt ratios instantly, preventing the compounding effect of repeated flash loan transactions. The second-order effect is a renewed focus on the security of liquid staking derivatives as collateral, given their complex price derivation logic and the critical need for a robust oracle layer.

The image displays abstract, translucent, glass-like structures, with a prominent, sharply focused one in the foreground that bends and recedes into the background. Hints of vibrant blue elements, possibly representing flowing liquid or light, are visible within and behind these clear conduits

Verdict

This oracle manipulation attack confirms that external data dependency remains the single most critical and under-mitigated systemic risk in the entire decentralized lending landscape.

Oracle manipulation, flash loan attack, price feed exploit, lending protocol security, smart contract vulnerability, decentralized finance risk, collateral valuation error, layer two network, Base network exploit, Optimism network, on-chain arbitrage, restaking token, liquid staking derivative Signal Acquired from ∞ coingabbar.com

Micro Crypto News Feeds

liquid staking derivatives

Definition ∞ Liquid Staking Derivatives (LSDs) are tokenized representations of staked cryptocurrencies, allowing users to retain liquidity while participating in proof-of-stake network validation.

collateral valuation

Definition ∞ Collateral valuation is the process of determining the monetary worth of assets pledged to secure a loan or other financial obligation within decentralized finance protocols.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

collateral

Definition ∞ Collateral refers to an asset pledged by a borrower to a lender as security for a loan.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

oracle manipulation

Oracle Manipulation ∞ is a type of attack where the data provided by a blockchain oracle is deliberately falsified or corrupted.

price

Definition ∞ Price represents the monetary value assigned to an asset or service in exchange for other goods or services.

lending

Definition ∞ Lending in the digital asset space involves the provision of cryptocurrencies to borrowers in exchange for interest payments.

staking derivatives

Definition ∞ Staking derivatives are liquid tokens that represent staked assets on a proof-of-stake blockchain, allowing users to maintain liquidity while earning staking rewards.

oracle manipulation attack

Definition ∞ An Oracle Manipulation Attack involves deliberately falsifying or distorting external data feeds that supply information to smart contracts on a blockchain.

Tags:

Tags: