Moonwell Suffers $1.78M Loss After cbETH Oracle Mispricing on Base

7h ago•

Crypto2Community

bullish:

bearish:

Highlights:

Moonwell suffered a $1.78M loss after a governance update mispriced cbETH on Base.
AI-assisted commits appeared in the pull request, but auditors said the flaw was a configuration error.
cbETH Oracle mispricing triggered rapid liquidations after the system valued the token near $1.

Moonwell disclosed a $1.78 million loss after a governance update disrupted pricing in its cbETH market on Base. The protocol detailed the event in a postmortem on its governance forum. The issue began when proposal MIP-X43 activated Chainlink OEV wrapper contracts across core markets. Shortly after execution, the system began returning an incorrect value for Coinbase Wrapped Staked ETH.

Moonwell lost $1.78M due to a smart contract bug reportedly introduced in AI-generated code.

The vulnerable logic was generated by Claude Opus 4.6. A flaw in the oracle formula caused cbETH to be priced at $1.12 instead of $2,200, opening the door for exploitation.

Commits in… pic.twitter.com/4xG5AxZWA4

— Web3 Antivirus (@web3_antivirus) February 18, 2026

The configuration relied only on the cbETH to ETH exchange rate. It did not multiply that figure by the ETH to USD price feed. As a result, the protocol displayed cbETH at roughly $1.12 instead of near $2,200. The pricing shift altered collateral values across the affected pool within minutes.

Liquidation bots were fast. They gave back little of the debt and claimed much of the collateral. The system registered cbETH at close to one dollar, making borrowers unable to sustain necessary ratios. Overall, liquidators uncovered 1,096.317 cbETH of market positions. The activity resulted in bad debt of $1,779,044.83 on various assets, the majority of which is on cbETH.

Moonwell claimed that the imbalance was detected by monitoring systems soon after the update. The team cut supply and borrow limits in the cbETH Core Market on Base to 0.01. That move prevented new borrowing and further collateral deposits.

AI-Written Code and Missed Checks Raise Questions

The pull request associated with the configuration change shows multiple commits co-authored by Claude Opus 4.6. Security auditor Pashov referenced those commits in a public discussion. He said the developer used AI assistance when writing parts of the affected code. He linked that workflow to the vulnerability.

Claude Opus 4.6 wrote vulnerable code, leading to a smart contract exploit with $1.78M loss

cbETH asset's price was set to $1.12 instead of ~$2,200. The PRs of the project show commits were co-authored by Claude – Is this the first hack of vibe-coded Solidity code? pic.twitter.com/4p78ZZvd67

— pashov (@pashov) February 17, 2026

Pashov later clarified that the flaw did not represent a new class of exploit. He described the issue as a pricing configuration error. According to him, even a senior Solidity developer could have introduced the same mistake. He initially believed the deployment lacked testing or audit coverage. Later, he acknowledged that the team said it conducted unit and integration tests in a separate pull request.

Moonwell also confirmed that Halborn completed an audit before deployment. Pashov said a proper integration test connected to live blockchain data could have detected the incorrect USD derivation. The formula failed to combine the cbETH to ETH rate with the ETH to USD feed. That omission allowed the system to publish an incomplete price. Moonwell did not attribute the incident directly to AI-generated code.

Moonwell $1.78M Loss Adds to DeFi’s History of Pricing Errors

The monetary blow at Moonwell is not as huge as certain previous events in decentralized finance. Attackers removed over half a billion dollars from the Ronin bridge in March 2022. The incident was caused by an invalid Oracle configuration and not a breach of validator keys.

A Chainlink pricing discrepancy affected AERO, VIRTUAL, and MORPHO markets in October. That interruption generated over $12 million in liquidations and approximately $1.7 million in bad debt. A malfunction in a wrsETH oracle in November added skewed exchange rate information to lending pools. The pricing problem led to losses amounting to approximately $3.7 million.

Previously, in April, Term Finance had a configuration issue that led to approximately $1.6 million of inappropriate liquidations. The protocol eventually retrieved approximately $1 million of that. In the case of Moonwell, there was no evidence of external interference in the price feeds. The mismatch arose in the course of an internal governance update.