The decentralized finance (DeFi) lending protocol Moonwell suffered an exploit resulting in approximately $1.78 million in bad debt. The incident occurred after a governance proposal misconfigured a pricing oracle for Coinbase Wrapped Staked ETH (cbETH), causing it to report a value of $1.12 instead of the correct $2,200. This mispricing was exploited by liquidation bots and opportunistic borrowers, according to the protocol’s incident post-mortem.
The exploit on the Moonwell protocol, deployed on Base and Optimism, stemmed from a faulty oracle configuration. A governance proposal executed on Sunday incorrectly used only the cbETH/ETH exchange rate, as stated in the protocol’s post-mortem, leading to the severe undervaluation.
Security auditor Pashov publicly flagged that multiple commits in the affected contract pull requests were co-authored by Anthropic’s Claude Opus. He described this as an example of AI-assisted Solidity code backfiring but noted the issue was not unique to AI. “The developer was using Claude to write the code, and this has led to the vulnerability,” Pashov said.
However, Pashov cautioned against viewing the flaw as solely AI-driven. He argued the oracle mistake was one “even a senior Solidity developer could have made,” attributing the root cause to insufficient checks and validation. The loss is relatively small compared to major DeFi exploits, but it raises questions about governance and security processes.
The incident has sparked discussion about responsible AI use in development. Fraser Edwards, co-founder and CEO of cheqd, told Cointelegraph that AI-assisted development can be valuable but requires discipline. He argued all AI-generated smart contract code should be treated as untrusted input subjected to rigorous review. “Ultimately, responsible AI integration comes down to governance and discipline,” Edwards stated.
