Crypto: Moonwell Hit By $1.78m Exploit As AI Vibe Coding Debate Reaches Defi
The exploit saw the Moonwell protocol exploited for $1.78 million after cbETH was mispriced at $1.12 instead of about $2,200, intensifying debate around AI-co-authored smart contracts.
Moonwell, a decentralized finance (DeFi) lending protocol deployed on Base and Optimism, was exploited for about $1.78 million after a pricing oracle for Coinbase Wrapped Staked ETH (cbETH) returned a value of about $1.12 instead of $2,200, creating a mispricing that attackers were able to use for profit.
Moonwell said in an incident post-mortem that a governance proposal executed on Sunday misconfigured the cbETH oracle by using the cbETH/ETH exchange rate alone, causing the system to report cbETH at about $1.12. The protocol said liquidation bots and opportunistic borrowers exploited the mispricing, leaving roughly $1.78 million in bad debt.
The pull requests for the affected contracts show multiple commits co-authored by Anthropic’s Claude Opus 4.6, prompting security auditor Pashov to publicly flag the incident as an example of artificial intelligence-written or AI-assisted Solidity backfiring.
Speaking to Cointelegraph about the incident, he said that he had linked the case to Claude because there were multiple commits in the pull requests that were co-authored by Claude, meaning that “the developer was using Claude to write the code, and this has led to the vulnerability.”
Pashov cautioned, however, against treating the flaw as uniquely AI-driven. He described the oracle issue as the kind of mistake “even a senior Solidity developer could have made,” arguing that the real problem was a lack of sufficiently rigorous checks and end-to-end validation.
Initially, he said that he believed there had been no testing or audit at all, but later acknowledged that the team said it had unit and integration tests in a separate pull request and had commissioned an audit from Halborn.
In his view, the mispricing “could have been caught with an integration test, a proper one, integrating with the blockchain,” but he declined to criticise other security firms directly.
Related: How South Korea is using AI to detect crypto market manipulation
The dollar amount of the exploit is small compared to some of DeFi’s largest incidents, such as the Ronin bridge exploit in March 2022, where attackers stole more than $600 million, or other nine-figure bridge and lending protocol hacks.
Source: CoinTelegraph
