Moonwell’s AI-coded oracle glitch misprices cbETH at $1, drains $1.78M

Moonwell’s lending pools racked up about $1.78M in bad debt after a cbETH oracle mispriced the token at nearly $1 instead of around $2.2k, enabling bots and liquidators to drain collateral within hours of a misconfigured Chainlink-based update reportedly using AI-generated logic.

Decentralized finance lending protocol Moonwell suffered a $1.78 million exploit due to a pricing oracle bug that misvalued Coinbase-wrapped ETH (cbETH), according to reports from the platform.

The vulnerability originated in oracle calculation logic reportedly generated by the AI model Claude Opus 4.6, which introduced an incorrect scaling factor in the asset price feed, according to the protocol’s disclosure. Attackers borrowed against severely underpriced collateral, extracting funds before the error was detected and corrected.

The cbETH mispricing effectively collapsed the collateral requirement for borrowing within affected pools. Because lending systems rely on accurate collateral ratios, the incorrect price allowed attackers to extract assets with minimal backing value, according to the protocol’s technical analysis.

Price oracles represent critical security components in DeFi lending systems. Incorrect asset valuation can enable under-collateralized borrowing or liquidation failures. Many major DeFi exploits have historically involved oracle manipulation or pricing errors rather than core protocol flaws, according to industry security reports.

The Moonwell incident differs from traditional oracle exploits in that the faulty logic appears linked to automated AI code generation rather than malicious oracle data feeds, according to the protocol’s preliminary investigation.

The exploit highlights risks associated with AI-assisted smart-contract development in financial applications. Language models can accelerate coding workflows, but financial protocols require precise numerical correctness, unit handling and edge-case validation, according to blockchain security experts.

In DeFi systems, small arithmetic or scaling mistakes can translate into systemic vulnerabilities affecting collateral valuation and solvency. The incident raises questions about whether AI-generated contract components may require stricter auditing standards than manually written code, according to security researchers.

AI-assisted development is increasingly used across Web3 engineering workflows, from contract templates to integration logic. Security models and audit frameworks have not yet fully adapted to AI-generated contract code, according to industry observers.

The broader implications center on how automated code generation errors in financial logic represent a new category of DeFi risk. Oracle math, scaling factors and unit conversions remain high-precision domains where automation failures can propagate into protocol-level vulnerabilities, according to technical analysis of the incident.

As AI-assisted smart-contract development expands, audit methodologies will likely need to evolve toward verifying not only code correctness but generation provenance and numerical invariants, according to blockchain security firms.