Moonwell’s ‘vibe-coded’ oracle in $1.8M blowup

It was only a matter of time before “vibe-coded” smart contracts led to a significant loss of funds and on Sunday, an oracle misconfiguration led to users of DeFi lending platform Moonwell being liquidated for a total of 1,096 Coinbase Wrapped Staked Ether (cbETH).

The protocol was also saddled with $1.8 million worth of bad debt as a result.

The error was introduced in pull request 578, submitted by Moonwell core contributor “anajuliabit” and co-authored by Claude Opus 4.6.

Including this incident, Moonwell has suffered three oracle malfunctions in the past six months, leading to over $7 million in bad debt.

Read more: Claude AI plugins can now vibe code smart contracts

cbETH = $1.12

Moonwell’s post-mortem report states that, this time, the issue lies in calculating the dollar price of cbETH.

“The oracle used only the raw cbETH/ETH exchange rate. This misconfiguration caused the oracle to report cbETH’s price as approximately $1.12 (reflecting the cbETH/ETH ratio of ~1.12) rather than the intended market value of roughly $2,200,” the report explains.

As a result, the error “wiped out most or all of the cbETH collateral for many borrowers.”

A total of 1,096 cbETH was liquidated. In turn, $1.78 million worth of bad debt was generated for the protocol.

Monitoring systems picked up the discrepancy and strict borrow and supply caps were set to prevent further interaction.

Despite this, liquidation of existing positions continued. Any oracle correction requires “a five-day governance voting and timelock period, which could not be bypassed.”

Trading Strategy’s Mikko Ohtamaa pointed out that “regardless of whether the code is written by an AI or by a human, these kinds of errors are caught in an automated integration test suite.”

He highlights that Claude can even write these tests itself, but that in this case “there was no test case for price sanity.”

Others highlighted the contributor’s GitHub profile which shows an extremely high workrate, over 1,000 commits in the past week.

Read more: Clawdbot creator Peter Steinberger: ‘Crypto folks, stop harassing me’

The dark side of the moon

Moonwell is a lending protocol active on the Base, Optimism, and Moonbeam networks. It holds around $90 million in total value locked (TVL), according to DeFiLlama data, down from a peak of $380 million in August last year.

Since then, the project has suffered a number of hiccups.

DeFi commentary account “Yieldsandmore” details two further incidents in recent months. The first came during last year’s infamous October 10 crash, when a pricing discrepancy between Chainlink feeds and decentralized exchanges on Base led to $12 million in liquidations and $1.7 million of bad debt.

The second came less than a month later, on November 4, when the $129 million Balancer hack had a knock on effect on Moonwell’s market-based wrsETH/ETH oracle, leading to $3.7 million of bad debt.

The two incidents were apparently exploited by the same attacker, who is “clearly constantly scanning Moonwell for extractable value.”

Previously, 2022’s $190 million Nomad Bridge hack devastated the protocol’s Moonbeam deployment, its sole instance at the time.

The incident saw TVL drop 80%, from over $100 million to just $21 million.

Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.