DeFi lender Moonwell hit by $1M exploit tied to Chainlink data error

Moonwell, a multi-chain lending protocol, was exploited through flawed oracles and pricing data. The platform lost around $1M just a day after the larger Balancer hack. 

Moonwell, the multi-chain lending protocol, was exploited through flawed oracle data. The estimated losses were just $1M, arriving a day after the bigger Balancer hack. 

BlockSec Phantom detected a series of suspicious outflows from the protocol, alerting to a potential smart contract exploit. 

ALERT! Our system detected a series of suspicious transactions targeting @MoonwellDeFi’s smart contracts on #Base and #Optimism. Our analysis indicates an issue with the token price (rsETH / ETH) feed from the off-chain oracle, which was exploited — possibly by a MEV bot —… pic.twitter.com/cNJFHI3xn3

— BlockSec Phalcon (@Phalcon_xyz) November 4, 2025

The exploiter used a pricing flaw to borrow and trade specific types of wrapped ETH. The exploit depended on a price disparity for borrowing 20 wstETH against only 0.00002 wrstETH. The hacker pocketed the difference when trading, for a total of 295 ETH in gains. 

The low collateral generated immediate transactions of wstETH, while the loan was repaid in the same block. The flawed price was supplied by an off-chain oracle. 

The hacker was capable of exploiting the contract, as the oracle returned a price of $5.8M per wrstETH. Based on transaction data, Moonwell used ChainLink, which apparently made the pricing mistake. 

The hacker just had to use the favorable conditions for a flash loan and repeat several times to complete the exploit. The exploit sets the bigger issue of oracle reliability, even coming from the market leader ChainLink. 

Moonwell marks fourth significant exploit

Moonwell is a relatively old DeFi protocol, spread across multiple chains. As of November 2025, the protocol held $213M in its lending vaults. Moonwell uses Base, Optimism, Moonbeam, and Moonriver networks. 

The protocol has seen previous attacks, with four exploits in the past three years. Moonwell is a fork of Compound V2, inheriting some of the protocol’s problems. 

Previously, Moonwell suffered a bad loan incident on October 10, losing $1.7M. In December 2024, the protocol saw another flash loan exploit for $320K. In 2022, Moonwell suffered losses due to a bridge exploit, which affected the protocol. 

WELL token crashes after exploit

Moonwell’s native WELL token crashed after the news of the exploit. WELL lost over 15% to $0.011. As with other hacks, the losses from broken reputation and token crashes are even bigger than the exploit itself. 

The exploit brought a loss of reputation for Moonwell, causing a bank run on its stablecoin vaults. Users withdrew their USDC, causing effective APY to spike as high as 168%. The run from Moonwell vaults follows withdrawals from Balancer on Monday. 

Moonwell’s team did not comment on the hack for hours after the incident. The current exploit is seen as similar to the one on October 10, which means the protocol did not implement a fix. On-chain data shows a similar attack may have happened, taking 269 ETH through flawed pricing, but neither the team nor researchers noticed the withdrawals at that time. 

Moonwell claims to have undergone multiple security audits, but this did not prevent the additional hack. Despite the lower level of attacks against Web3 protocols, the recent events show the Ethereum ecosystem may hold risks when tasked with securing more value and bigger trades.

Get up to $30,050 in trading rewards when you join Bybit today