Moonwell $1.78M exploit from cbETH oracle error fuels AI debate
Moonwell, a decentralized finance (DeFi) lending protocol operating on Base and Optimism, was exploited for approximately $1.78 million after its pricing oracle for Coinbase Wrapped Staked ETH (cbETH) reported a value near $1.12 instead of roughly $2,200. Attackers leveraged the mispricing to extract funds, according to an incident post-mortem.
The post-mortem stated that a governance proposal executed on Sunday incorrectly configured the cbETH oracle by relying solely on the cbETH/ETH exchange rate, leading the system to treat cbETH as worth about $1.12. Liquidation bots and opportunistic borrowers capitalized on the discrepancy, resulting in around $1.78 million in bad debt.
Pull requests for the affected contracts include multiple commits co-authored by Anthropic’s Claude Opus 4.6. Security auditor Pashov flagged the case as an example of risks associated with AI-written or AI-assisted Solidity, noting the commits suggested the developer used Claude to generate code that contributed to the vulnerability. You can find more on Pashov’s observation on his tweet.
Pashov emphasized, however, that the flaw should not be viewed as exclusively AI-driven. He described the oracle misconfiguration as an error that “even a senior Solidity developer could have made,” pointing instead to insufficiently rigorous checks and end-to-end validation as the underlying issue.
He initially believed the code had not undergone testing or audit but later acknowledged the team’s statement that unit and integration tests existed in a separate pull request and that an audit had been commissioned from Halborn.
In his assessment, the mispricing could have been caught with a robust integration test interfacing with the blockchain. He declined to comment on other security firms directly.
Small loss, broader governance considerations
The dollar value of the incident is modest relative to some of DeFi’s largest exploits, such as the March 2022 Ronin bridge breach exceeding $600 million and other nine-figure bridge or lending protocol hacks. The Moonwell case stands out due to the combination of AI co-authorship, a fundamental price configuration error on a key asset, and audits and tests that did not detect the issue.
Pashov said his firm does not plan to overhaul its review process. However, when code appears “vibe coded,” his team will approach it with heightened scrutiny and anticipate a higher incidence of straightforward issues, even though this oracle bug “was not that easy” to identify.
“Vibe coding” versus structured AI development
Fraser Edwards, co-founder and CEO of cheqd, said the “vibe coding” debate reflects two distinct approaches to AI in software development.
On one side are non-technical founders prompting AI to generate code they cannot independently evaluate; on the other are experienced engineers using AI to accelerate refactoring, explore design patterns, and expand testing within a mature development lifecycle.
Edwards noted that AI-assisted development can be useful at the minimal viable product (MVP) stage but should not be treated as a shortcut to production-grade infrastructure, particularly in capital-intensive systems like DeFi.
He argued that AI-generated smart contract code should be treated as untrusted input, subjected to strict version control, clear code ownership, multi-person peer review, and advanced testing, with special attention to high-risk areas such as access controls, oracles and pricing logic, and upgrade mechanisms.
Edwards added that responsible AI integration depends on governance and discipline, including defined review gates, separation between code generation and validation, and the assumption that any contract deployed in an adversarial setting may carry latent risks.
Stay informed, read the latest news right now!
Disclaimer
The content on TrustsCrypto.com is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency markets are highly volatile, always do your own research before making decisions.
Some content may be assisted by AI and reviewed by our editorial team, but accuracy is not guaranteed. TrustsCrypto.com is not responsible for any losses resulting from the use of information provided.
