Security

Lending Protocol Moonwell Exploited via Faulty Oracle Price Feed Manipulation

A critical oracle feed error allowed an attacker to leverage flash loans, artificially inflating collateral value and draining $1 million from Moonwell lending pools.
November 11, 20253 min

A close-up view displays a sophisticated metallic mechanism, featuring a prominent central lens, partially enveloped by a vibrant blue, bubbly liquid. The intricate engineering of the device suggests a core operational component within a larger system
A striking abstract composition features clear and blue crystalline structures, white textured formations, and smooth white and silver spheres emerging from dark blue water under a clear sky. The elements are arranged centrally, creating a sense of balance and depth

Briefing

The Moonwell decentralized lending protocol on the Base and Optimism networks was compromised by a sophisticated oracle manipulation attack on November 4, 2025. This systemic failure allowed a threat actor to exploit a faulty off-chain price feed, enabling the borrowing of substantial assets against artificially inflated collateral. The attack vector, executed via a flash loan and repeated transactions, resulted in a confirmed loss of approximately $1 million in Ether and liquid staking derivatives.

The image displays vibrant blue crystalline formations, partially covered in white, snow-like granular material, intersected by polished silver rods. Several transparent, reflective spheres float around these structures, some resting on the white substance

Context

The prevailing architectural risk in DeFi lending remains the reliance on external data feeds for collateral valuation, particularly for newly deployed or complex assets like liquid staking derivatives. Despite multiple security audits, protocols often fail to implement robust, multi-source oracle validation mechanisms or sufficient heartbeat updates, leaving a critical attack surface open to price manipulation and flash loan-enabled arbitrage. This class of exploit is a known, persistent weakness in the lending sector.

An abstract, dark, multi-layered object with intricate, organic-like cutouts is depicted, covered and surrounded by a multitude of small, glowing blue and white particles. These particles appear to flow dynamically across its surface and through its internal structures, creating a sense of movement and digital interaction

Analysis

The attack vector targeted a malfunctioning off-chain oracle providing the rsETH/ETH price feed, which incorrectly reported the price of wrapped restaked ETH ( wrstETH ) at a massive overvaluation of approximately $5.8 million per token. The attacker initiated a flash loan to deposit a minimal amount of wrstETH (e.g. 0.02 wrstETH ), which the protocol’s lending contract, relying on the faulty oracle, incorrectly valued as sufficient collateral.

This allowed the actor to repeatedly borrow a disproportionate amount of assets, specifically wstETH , against the artificially inflated collateral value, effectively draining the liquidity pools on both Base and Optimism deployments. The transactions were likely executed by a Maximum Extractable Value (MEV) bot, exploiting the price discrepancy immediately.

The image showcases a dark, metallic "X" structure with bright silver accents and internal blue illumination, surrounded by translucent blue tendrils. These ethereal blue tendrils organically flow around and through the central "X" symbol, visually representing the dynamic transfer of digital assets or oracle data within a sophisticated blockchain architecture

Parameters

  • Total Loss → $1 Million → The approximate value of 295 ETH and other assets drained from the protocol.
  • Vulnerability TypeOracle Manipulation → Exploit of a faulty rsETH/ETH price feed for collateral valuation.
  • Exploited Asset → Wrapped Restaked ETH ( wrstETH ) → The token whose price was artificially inflated by the faulty oracle to enable the over-collateralized loan.
  • Chains Affected → Base and Optimism → The Layer 2 networks where the vulnerable lending contracts were deployed.

A detailed render showcases a futuristic device, primarily in metallic blue and silver with transparent azure accents. The central circular component features intricate internal structures, resembling a sophisticated engine

Outlook

Immediate mitigation requires all lending protocols to review and harden their oracle integration logic, prioritizing decentralized, time-weighted average price (TWAP) mechanisms over single-source feeds, especially for volatile or low-liquidity assets. This incident will accelerate the adoption of real-time risk monitoring systems to detect and pause anomalous collateral-to-debt ratios instantly, preventing the compounding effect of repeated flash loan transactions. The second-order effect is a renewed focus on the security of liquid staking derivatives as collateral, given their complex price derivation logic and the critical need for a robust oracle layer.

A detailed macro shot showcases a translucent blue tubular structure, housing metallic spheres connected by slender rods. The intricate system appears to be part of a larger, complex network of similar components, blurred in the background

Verdict

This oracle manipulation attack confirms that external data dependency remains the single most critical and under-mitigated systemic risk in the entire decentralized lending landscape.

Oracle manipulation, flash loan attack, price feed exploit, lending protocol security, smart contract vulnerability, decentralized finance risk, collateral valuation error, layer two network, Base network exploit, Optimism network, on-chain arbitrage, restaking token, liquid staking derivative Signal Acquired from → coingabbar.com

Micro Crypto News Feeds

liquid staking derivatives

Definition ∞ Liquid Staking Derivatives (LSDs) are tokenized representations of staked cryptocurrencies, allowing users to retain liquidity while participating in proof-of-stake network validation.

collateral valuation

Definition ∞ Collateral valuation is the process of determining the monetary worth of assets pledged to secure a loan or other financial obligation within decentralized finance protocols.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

collateral

Definition ∞ Collateral refers to an asset pledged by a borrower to a lender as security for a loan.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

oracle manipulation

Oracle Manipulation ∞ is a type of attack where the data provided by a blockchain oracle is deliberately falsified or corrupted.

price

Definition ∞ Price represents the monetary value assigned to an asset or service in exchange for other goods or services.

lending

Definition ∞ Lending in the digital asset space involves the provision of cryptocurrencies to borrowers in exchange for interest payments.

staking derivatives

Definition ∞ Staking derivatives are liquid tokens that represent staked assets on a proof-of-stake blockchain, allowing users to maintain liquidity while earning staking rewards.

oracle manipulation attack

Definition ∞ An Oracle Manipulation Attack involves deliberately falsifying or distorting external data feeds that supply information to smart contracts on a blockchain.

Tags:

Tags: