The Moonwell exploit in November 2025 involved a flaw in oracle pricing data, leading to approximately $1 million in losses from unauthorized borrowing of wrapped ETH variants on Base and Optimism chains just one day after the Balancer hack.
-
Exploit Mechanism: Attackers manipulated off-chain oracle feeds from Chainlink, creating artificial price disparities for tokens like rsETH and ETH.
-
Suspicious outflows detected by BlockSec Phantom highlighted smart contract vulnerabilities on multiple chains.
-
Impact included a 15% crash in the WELL token price to $0.011, alongside a bank run on stablecoin vaults with APY spiking to 168%.
Moonwell exploit exposes oracle risks in DeFi lending: $1M loss via pricing flaws on Base and Optimism. WELL token crashes 15%. Learn key details and prevention strategies now.
What Is the Moonwell Exploit and How Did It Occur?
The Moonwell exploit refers to a security breach in the multi-chain lending protocol Moonwell, where attackers exploited flawed oracle data to siphon around $1 million in assets. This incident unfolded on November 4, 2025, targeting smart contracts on the Base and Optimism networks, shortly after the larger Balancer hack. By manipulating price feeds for wrapped ETH tokens, the attacker executed flash loans and rapid trades, capitalizing on discrepancies between collateral values and borrowing rates.
How Did Flawed Oracles Enable the Moonwell Hack?
The core vulnerability stemmed from an off-chain oracle, reportedly supplied by Chainlink, which returned erroneous pricing—valuing wrstETH at an inflated $5.8 million per token. This allowed the exploiter to borrow significant amounts of wstETH using minimal collateral, such as 0.00002 wrstETH for 20 wstETH. In subsequent transactions within the same block, the attacker traded these assets for a profit of 295 ETH, repaying the loans without repercussions due to the manipulated data. Security firm BlockSec Phantom first alerted the community via their analysis, noting the involvement of a possible MEV bot. As stated in their report, “Our system detected a series of suspicious transactions targeting MoonwellDeFi’s smart contracts on Base and Optimism, indicating an issue with the token price (rsETH / ETH) feed from the off-chain oracle.” This event underscores persistent risks in decentralized finance, where even established oracle providers like Chainlink can falter under specific conditions. Historical data from on-chain explorers confirms similar patterns in prior Moonwell incidents, emphasizing the need for diversified oracle integrations to mitigate single points of failure. Despite Moonwell’s claims of multiple security audits, this exploit highlights gaps in real-time price verification mechanisms.
Frequently Asked Questions
What Are the Total Losses from the Moonwell Exploit in 2025?
The Moonwell exploit resulted in estimated losses of $1 million, primarily through unauthorized borrowing and trading of wrapped ETH tokens like wstETH. This figure accounts for the 295 ETH gained by the attacker, based on on-chain transaction data from Base and Optimism. The incident adds to Moonwell’s history of vulnerabilities, but no user funds beyond the exploited liquidity pools were directly affected.
Why Did the WELL Token Price Drop After the Moonwell Hack?
Following the Moonwell hack alert, the native WELL token experienced a sharp decline of over 15%, trading down to $0.011 amid widespread panic selling. This reaction mirrors typical DeFi exploit aftermaths, where eroded investor confidence leads to token devaluation and liquidity outflows. Users rushed to withdraw USDC from stablecoin vaults, causing borrowing rates to surge to 168% APY as supply tightened.
Key Takeaways
- Oracle Reliability Is Critical: Even trusted providers like Chainlink can introduce risks through off-chain data feeds, as seen in the manipulated rsETH/ETH pricing that enabled the exploit.
- Protocol History Matters: Moonwell’s fourth major incident in three years, including a $1.7 million bad loan in October 2025 and a $320,000 flash loan attack in December 2024, reveals inherited vulnerabilities from its Compound V2 fork.
- Reputation Damage Amplifies Losses: Beyond the $1 million direct theft, the WELL token crash and bank run on vaults inflicted broader economic harm, urging protocols to prioritize rapid incident response and transparency.
Conclusion
The Moonwell exploit in 2025 serves as a stark reminder of the fragility in DeFi lending protocols, particularly regarding oracle data integrity and smart contract security on chains like Base and Optimism. With $213 million in total value locked prior to the hack, Moonwell’s repeated vulnerabilities—now totaling four significant events—highlight the ongoing challenges in the Ethereum ecosystem as it scales to handle larger transactions. As the DeFi space evolves, protocols must invest in robust, multi-oracle systems and proactive monitoring to rebuild trust. Staying informed on these developments can help investors and users make safer decisions in the volatile crypto landscape.
Moonwell, a multi-chain lending protocol operating on networks including Base, Optimism, Moonbeam, and Moonriver, has long been a player in the DeFi arena since its inception. Forked from the established Compound V2 framework, it offers users the ability to lend and borrow assets across these chains, amassing $213 million in vaults by November 2025. However, this structure has not shielded it from exploits, as evidenced by the recent incident detected by BlockSec Phantom.
ALERT! Our system detected a series of suspicious transactions targeting MoonwellDeFi’s smart contracts on Base and Optimism. Our analysis indicates an issue with the token price (rsETH / ETH) feed from the off-chain oracle, which was exploited — possibly by a MEV bot —… pic.twitter.com/cNJFHI3xn3
— BlockSec Phalcon (Phalcon_xyz) November 4, 2025
The attacker’s strategy was methodical: leveraging the price disparity to initiate flash loans, borrow inflated assets, and execute trades that netted substantial gains before repaying in the same transaction block. This low-collateral, high-reward approach exploited the oracle’s momentary lapse, where wrstETH appeared undervalued against wstETH. On-chain records show the hacker repeated this process multiple times, culminating in a haul of 295 ETH, equivalent to the $1 million loss.
Moonwell’s history of security challenges dates back to 2022, when a bridge exploit indirectly impacted its operations. More recently, a December 2024 flash loan attack drained $320,000, followed by the October 10, 2025, bad loan incident that cost $1.7 million—eerily similar to the current oracle flaw. On-chain sleuthing now reveals an undetected prior attack mirroring this one, siphoning 269 ETH through comparable pricing errors, which went unnoticed by both the team and external researchers.
The aftermath extended beyond immediate financial hits. The WELL token’s plunge eroded market confidence, triggering a cascade of withdrawals from USDC pools and inflating yields to unsustainable levels. Moonwell’s team remained silent for hours post-exploit, a delay that exacerbated the bank run. Although the protocol touts extensive audits from reputable firms, these events question their efficacy against evolving threats like MEV bots and oracle manipulations.
In the broader context, this Moonwell hack follows closely on the heels of the Balancer incident, signaling a potentially riskier phase for Ethereum-based DeFi despite declining overall attack volumes. Experts, including those from PeckShield, have long advocated for hybrid oracle models combining on-chain and off-chain data to prevent such single-source failures. As DeFi matures, incidents like this reinforce the importance of vigilant security practices, transparent communication, and community-driven oversight to safeguard user assets in an increasingly interconnected ecosystem.
Looking ahead, Moonwell may need to implement oracle diversification, enhanced flash loan protections, and real-time anomaly detection to restore stability. For the crypto community, this exploit underscores a fundamental truth: in DeFi, where code is law, the reliability of price oracles remains a cornerstone of trust. Investors should monitor protocol updates closely and consider diversified exposure to mitigate risks from any single platform.
