Security

Moonwell Lending Protocol Drained by Chainlink Oracle Price Manipulation on Base

A transient oracle malfunction on the Base L2 allowed collateral mispricing, exposing a critical systemic risk in the protocol's asset valuation logic.
November 28, 20253 min

A detailed sphere, resembling the moon with visible craters and textures, is suspended above and between a series of parallel and intersecting metallic and translucent blue rails. These structural elements create a dynamic, abstract pathway system against a muted grey background
A large, faceted, translucent blue object, resembling a sculpted gem, is prominently displayed, with a smaller, dark blue, round gem embedded on its surface. A second, dark blue, faceted gem is blurred in the background

Briefing

The Moonwell lending protocol on the Base L2 suffered a critical economic exploit, leveraging a transient malfunction in its external price oracle. This systemic failure resulted in the immediate accrual of significant bad debt and a rapid $55 million outflow from the protocol’s Total Value Locked (TVL) as users withdrew assets. The attack vector was predicated on the oracle incorrectly valuing a minimal 0.02 wrstETH deposit at $5.8 million, enabling the attacker to repeatedly borrow and net a total profit of approximately $1.01 million (292 ETH). The incident confirms that even minor oracle data errors present a major economic attack surface for collateralized lending platforms.

A vibrant blue, intricately structured translucent form dominates the foreground, set against a blurred background of metallic cylindrical and gear-like components. The detailed blue lattice appears to flow and connect, highlighting its complex internal structure and reflective surfaces

Context

Lending protocols inherently face oracle dependency risk, where collateral valuation is outsourced to external data feeds, creating a single point of failure for economic security. This incident follows a known pattern of oracle-based exploits, particularly in forks of legacy protocols, which often lack robust, time-weighted average price (TWAP) mechanisms or circuit breakers to validate extreme price deviations. The protocol’s prior decision to eliminate its bug bounty program also signaled a reduced incentive for proactive, white-hat vulnerability disclosure, increasing the probability of a successful attack.

A complex spherical device, featuring a white outer shell and vibrant blue internal components, expels a dense cloud of white particles from its central core. The intricate metallic mechanism at its heart is clearly visible, driving this energetic expulsion

Analysis

The compromise originated from a temporary data feed error in the Chainlink oracle for wrstETH , which inflated the asset’s value by several orders of magnitude. The attacker initiated a flash loan to acquire a negligible amount of the token, which was then deposited as collateral into the Moonwell contract. Due to the oracle’s erroneous $5.8 million valuation, the protocol’s internal logic permitted the attacker to borrow over 20 wstETH → far exceeding the true collateral value → before the oracle corrected its feed. This operation was successfully repeated across seven rapid transactions, exploiting the window of vulnerability and bypassing standard liquidation checks within a single block execution environment.

The image presents a detailed view of metallic engineering components partially submerged in a vibrant blue, bubbly, viscous substance. A prominent silver cylindrical element with a central pin is visible on the left, while block-like structures are partially obscured in the background

Parameters

  • Total Funds Lost (Attacker Profit) → ~$1.01 Million – The net profit extracted by the threat actor in ETH and other assets.
  • Collateral Misvaluation → $5.8 Million – The temporary, inflated price for 0.02 wrstETH reported by the compromised oracle.
  • Accrued Bad Debt → $3.7 Million – The total shortfall in collateral value left in the protocol’s reserves.
  • TVL Drop → $55 Million – The immediate capital flight from the protocol following the disclosure.

A striking, clear, interwoven structure, reminiscent of a complex lattice, takes center stage against a soft, blurred blue and grey background. This transparent form appears to flow and connect, hinting at underlying digital processes and data streams

Outlook

Immediate mitigation requires all lending protocols utilizing external price feeds for volatile or low-liquidity assets to implement robust circuit breakers and sanity checks against extreme price divergence. The contagion risk is moderate, primarily affecting other Compound V2 forks or protocols relying on similar single-source oracle architectures without TWAP or decentralized validation layers. This incident reinforces the emerging standard that protocol solvency must be protected by internal, decentralized risk parameters that cannot be unilaterally overridden by a single external data feed, regardless of its reputation.

A close-up reveals an intricate mechanical system featuring two modular units, with the foreground unit exposing precision gears, metallic plates, and a central white geometric component within a brushed metal casing. Multi-colored wires connect the modules, which are integrated into a blue structural frame alongside additional mechanical components and a ribbed metallic adjustment knob

Verdict

This exploit serves as a definitive validation that even industry-leading oracle infrastructure is susceptible to transient data errors, necessitating a mandatory shift toward multi-layered, on-chain risk mitigation checks within all lending protocol smart contracts.

DeFi lending protocol, oracle price feed, collateral misvaluation, flash loan attack, Base Layer Two, smart contract exploit, systemic risk, asset valuation logic, wrapped staked ETH, bad debt accrual, single block transaction, token price manipulation, decentralized finance, L2 blockchain security, Chainlink oracle, protocol solvency, risk parameter tuning, multi-chain protocol, liquidation mechanism, external dependency failure Signal Acquired from → ambcrypto.com

Micro Crypto News Feeds

lending protocol

Definition ∞ A lending protocol is a decentralized application that facilitates the borrowing and lending of digital assets without intermediaries.

external data

Definition ∞ External data refers to information originating from outside a blockchain network that is required for smart contract execution.

chainlink oracle

Definition ∞ A Chainlink oracle is a decentralized service that provides external data to blockchain-based smart contracts.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

collateral misvaluation

Definition ∞ Collateral misvaluation occurs when the value assigned to an asset pledged as security in a financial transaction is inaccurate.

collateral

Definition ∞ Collateral refers to an asset pledged by a borrower to a lender as security for a loan.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

protocol solvency

Definition ∞ Protocol solvency refers to a decentralized protocol's ability to meet its financial obligations and maintain the integrity of its asset reserves.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

Tags:

Tags: