Moonwell Loses $1M in Flash Loan Exploit Due to Chainlink Oracle Flaw – WELL Token Crashes 15%
- How Did the Moonwell Exploit Unfold?
- Moonwell's Troubled Security History
- The Aftermath: WELL Token Crash and Bank Run
- FAQ: Your Moonwell Hack Questions Answered
DeFi lending protocol Moonwell suffered a $1 million exploit on November 4, 2025, after attackers manipulated flawed price data from chainlink oracles. The hack, which involved borrowing undervalued wrapped ETH (wrstETH), marks Moonwell's fourth major security incident in three years. The WELL token plunged 15% post-exploit, while users rushed to withdraw funds from Moonwell's vaults - mirroring similar bank runs seen after recent hacks like Balancer's. Here's our deep dive into what went wrong and why oracle reliability remains DeFi's Achilles' heel.
How Did the Moonwell Exploit Unfold?
BlockSec Phantom first detected suspicious outflows from Moonwell's Base and Optimism deployments around 20:00 UTC on November 4. Their analysis revealed the attacker exploited a pricing discrepancy in rsETH/ETH feeds from an off-chain oracle - likely using MEV bots to maximize gains. "The hacker borrowed 20 wstETH against just 0.00002 wrstETH collateral," explained a BTCC market analyst. "That's like getting a million-dollar loan by putting up a candy bar as collateral."
The root cause? Chainlink's oracle temporarily reported wrstETH's price at a ridiculous $5.8 million per token instead of its actual ~$1,800 value. This allowed the attacker to execute flash loans repeatedly within a single block, ultimately pocketing 295 ETH ($1M at current prices). Ironically, this happened just 24 hours after Balancer's $2 million hack - making November 2025 one of DeFi's worst 48 hours since the 2022 bridge attack season.
Moonwell's Troubled Security History
Moonwell isn't new to exploits. The Compound V2 fork has now suffered four major incidents:
| Date | Incident | Loss |
|---|---|---|
| Oct 10, 2025 | Bad debt accumulation | $1.7M |
| Dec 2024 | Flash loan attack | $320K |
| 2022 | Cross-chain bridge exploit | Undisclosed |
| Nov 4, 2025 | Oracle manipulation | $1M |
"Each exploit follows a pattern - Moonwell inherits Compound's vulnerabilities but lacks its security budget," noted DeFi researcher Maya B. The protocol's TVL has dropped from $213M to $186M (per CoinMarketCap) since October as users lose confidence.
The Aftermath: WELL Token Crash and Bank Run
Within hours of the exploit, WELL token prices nosedived 15% to $0.011. But the real damage was in Moonwell's stablecoin vaults, where APYs spiked to 168% as panicked users yanked out USDC. "It's textbook DeFi contagion," said our BTCC analyst. "One protocol bleeds, and suddenly everyone remembers their funds aren't FDIC-insured."
What's particularly embarrassing? On-chain data suggests a nearly identical attack may have occurred on October 10 but went unnoticed. The protocol's delayed response (they stayed silent for 8+ hours) hasn't helped restore trust either.
FAQ: Your Moonwell Hack Questions Answered
How did Chainlink's oracle get the price so wrong?
The exact technical failure remains unclear, but Chainlink's wrstETH feed apparently returned a price 3,000x higher than actual market rates on CoinGecko. This isn't Chainlink's first oracle mishap - remember the 2023 Mango Markets exploit?
Could this have been prevented?
Absolutely. Using multiple oracle providers (like Pyth or Uniswap V3 TWAPs) as backup could've flagged the anomaly. Moonwell's October audit somehow missed this single-point-of-failure risk.
Is my money safe on Moonwell now?
This article does not constitute investment advice. That said, the protocol's track record suggests caution. Their TVL keeps dropping while competitors like Aave V3 have zero oracle-related hacks.
