In short
- A misconfigured oracle priced cbETH at about $1 as a substitute of roughly $2,200.
- Liquidations seized 1,096.317 cbETH and worn out borrower collateral.
- The protocol was left with $1.78 million in unhealthy debt pending a governance repair.
A Sunday morning pricing glitch changed into a multimillion-dollar headache for the DeFi lending platform Moonwell, after a “misconfigured oracle” briefly valued Coinbase Wrapped ETH (cbETH) at simply $1.
The pricing error effected brought about a 99.9% low cost from the asset’s precise market worth of roughly $2,200. The error triggered a wave of liquidations, finally leaving the platform with roughly $1.78 million in unhealthy debt.
“As soon as recognized, our danger supervisor @anthiasxyz moved rapidly to cut back the cbETH borrow cap to 0.01 to include additional danger to the protocol,” Moonwell wrote on X on Monday. “The provision cap was additionally decreased to 0.01 to forestall new customers from unknowingly supplying to the affected market.”
In a Moonwell discussion board put up on Monday, danger administration agency Anthias Labs reported the error occurred at 6:01 PM UTC on February 15, when the Moonwell DAO governance proposal, MIP-X43, was executed, enabling Chainlink OEV wrapper contracts throughout markets on Base and Optimism. Considered one of these oracles was misconfigured and failed to cost cbETH’s USD worth appropriately.
Moonwell mentioned that as a substitute of multiplying the cbETH/ETH feed by the ETH/USD worth, the system used solely the uncooked cbETH/ETH trade charge. Because of this, the oracle reported cbETH at round $1.12.
Buying and selling bots started concentrating on cbETH collateral positions, and since the system believed cbETH was value simply over $1, liquidators have been capable of repay roughly $1 of debt to grab a complete of 1,096.317 cbETH, the corporate mentioned.
“This worn out most or all the cbETH collateral for a lot of debtors, whereas leaving substantial unhealthy debt on their positions for the reason that repaid quantity was far under the precise borrowed worth,” Anthias Labs wrote.
The distorted pricing additionally enabled exploitation.
“A smaller variety of customers exploited the distorted pricing to provide minimal collateral, massively over-borrow cbETH on the artificially low reported worth, and immediately generate extra unhealthy debt denominated in cbETH,” the agency added.
Whereas the misconfigured Oracle took a lot of the blame, customers on X started circulating photographs of the MIP-X43 as being co-authored by Claude Opus 4.6, with some calling it a “vibe coding” error.
When requested by Decrypt concerning the error and ensuing exploit, Moonwell spokesperson declined to remark.
General, Moonwell was left with $1,779,044 in whole unhealthy debt throughout varied markets, based on the put up.
In line with Moonwell, a forthcoming governance vote will handle the oracle configuration following the required timelock interval.
Moonwell is the most recent in a rising listing of DeFi initiatives exploited because of misconfigured oracles. In December, Ribbon Finance misplaced about $2.7 million after a decimal mismatch in an oracle improve distorted asset pricing and enabled over-collateralization.
In January, DeFi platform Makina Finance was exploited through flash-loan-driven oracle manipulation, permitting an attacker to extract roughly $4 million in ETH.
Day by day Debrief Publication
Begin daily with the highest information tales proper now, plus unique options, a podcast, movies and extra.