• One min read
Moonwell Oracle Misconfiguration Leads to
cbETH Pricing Anomaly, Resulting in $1.78M Bad Debt
Due to an oracle misconfiguration, Moonwell incorrectly priced cbETH at approximately $1, triggering large-scale liquidations and ultimately resulting in $1,779,044 in bad debt. The team has urgently restricted relevant market operations and will fix the oracle configuration via a governance proposal.
AUTOSEC.DEV
- Exploit Date: February 18, 2026
- Target Project: Moonwell
- Project Overview: Moonwell is a decentralized lending protocol on Base and Optimism that supports lending, borrowing, and liquidation services for various crypto assets.
- Loss Amount: $1,779,044
- Attack Vector: Oracle Misconfiguration
Incident Review & Technical Details
- Attack Path: During the execution of governance proposal MIP-X43, the oracle was misconfigured. The system failed to correctly multiply the cbETH/ETH exchange rate with the ETH/USD price feed, using only the raw exchange rate instead. This caused the reported price of cbETH to drop to approximately $1.
- Impact: The anomaly triggered massive erroneous liquidations. Liquidation bots seized users' collateral at an extremely low cost, leaving the protocol with substantial bad debt.
- Official Assessment: The issue stemmed from an oracle configuration error rather than a vulnerability in the underlying smart contract code.
- Investigation Progress: The borrow cap and supply cap for cbETH have been reduced to their minimums. A subsequent governance vote will be held to restore the correct oracle configuration.
Reference
https://decrypt.co/358374/oracle-error-leaves-defi-lender-moonwell-1-8-million-bad-debt