DeFi protocol Moonwell lost about $1.78 million after a smart contract vulnerability allowed an attacker to manipulate oracle data and drain funds.

Incident details

According to auditor pashov, the vulnerable code fragment was generated by the model Claude Opus 4.6 and later committed into the project repository.

A flaw in the oracle formula caused the cbETH price to be reported as $1.12 instead of the approximate market value of ~$2,200, creating a wide valuation gap.

This discrepancy allowed an attacker to manipulate protocol logic, execute operations at the misreported price and withdraw approximately $1.78 million from liquidity pools.

Commits in the project repository list Claude as a co-author of some changes, and the episode has been noted in coverage as an early breach linked to generated Solidity code.

Technical note

cbETH is a wrapped staking token representing staked Ether on Coinbase and is used in DeFi protocols as a staking derivative asset that relies on external price feeds.

The occurrence underscores the risks of integrating machine-generated code without layered checks, since subtle logic errors in pricing formulas can have immediate financial consequences.

Teams should not merge unreviewed machine-generated code into production; audits, automated testing and strict code review processes reduce such operational risks.

The incident is under investigation, and auditor pashov provided the initial public technical report identifying the vulnerable code and the attack vector.