Brief
- A misconfigured oracle valued cbETH at around $1 instead of around $2,200.
- The liquidations seized 1,096.317 cbETH and wiped out borrower collateral.
- The protocol was left with $1.78 million in bad debt while awaiting a governance solution.
A Sunday morning pricing glitch turned into a multimillion-dollar headache for DeFi lending platform Moonwell, after a “misconfigured oracle” briefly valued Coinbase Wrapped ETH (cbETH) at just $1.
The pricing error made resulted in a 99.9% discount to the asset’s true market value of approximately $2,200. The error sparked a wave of liquidations, ultimately leaving the platform with approximately $1.78 million in bad debt.
“Once identified, our risk manager @anthiasxyz acted quickly to reduce the cbETH borrowing cap to 0.01 to contain more risk to the protocol,” Moonwell wrote on X on Monday. “The supply cap has also been reduced to 0.01 to prevent new users from unknowingly supplying the affected market.”
In a Moonwell forum post published Monday, risk management firm Anthias Labs reported that the error occurred at 6:01 p.m. UTC on February 15, when the Moonwell DAO governance proposal, MIP-X43, was executed, enabling Chainlink OEV wrapper contracts on the base and bullish markets. One of these oracles was misconfigured and failed to correctly estimate the USD value of cbETH.
Moonwell said that instead of multiplying the cbETH/ETH flow by the ETH/USD price, the system only used the raw cbETH/ETH exchange rate. As a result, the oracle reported cbETH at around $1.12.
Trading bots began targeting cbETH collateral positions, and because the system believed cbETH was worth just over $1, liquidators were able to pay off about $1 of debt to seize a total of 1,096.317 cbETH, the company said.
“This wiped out most or all cbETH collateral for many borrowers, while leaving significant bad debt on their positions since the amount repaid was far less than the actual value borrowed,” Anthias Labs wrote.
Distorted prices also enabled exploitation.
“A smaller number of users exploited the distorted prices to provide minimal collateral, massively overborrow cbETH at the artificially low price advertised, and instantly generate additional bad debt denominated in cbETH,” the company added.
While Oracle’s misconfiguration was largely to blame, X users began circulating images of MIP-X43 as being co-written by Claude Opus 4.6, with some calling it a “vibrational coding” error.
Asked by Decrypt About the error and the resulting exploit, the Moonwell spokesperson declined to comment.
Overall, Moonwell was left with a total of $1,779,044 in bad debts across various markets, according to the post.
According to Moonwell, an upcoming governance vote will focus on configuring Oracle after the required lock-in period.
Moonwell is the latest in a growing list of DeFi projects exploited due to misconfigured oracles. In December, Ribbon Finance lost about $2.7 million after a decimal mismatch during an Oracle upgrade distorted asset prices and allowed overcollateralization.
In January, DeFi platform Makina Finance was exploited via flash loan-based Oracle manipulation, allowing an attacker to extract approximately $4 million in ETH.
Daily debriefing Newsletter
Start each day with the biggest news stories of the day, plus original features, a podcast, videos and more.
