Moonwell, a decentralized finance (DeFi) lending protocol deployed on Base and Optimism, was exploited for about $1.78 million after a pricing oracle for Coinbase Wrapped Staked ETH (cbETH) returned a price of about $1.12 as a substitute of $2,200, making a mispricing that attackers have been ready to make use of for revenue.
Moonwell mentioned in an incident autopsy {that a} governance proposal executed on Sunday misconfigured the cbETH oracle by utilizing the cbETH/ETH trade price alone, inflicting the system to report cbETH at about $1.12. The protocol mentioned liquidation bots and opportunistic debtors exploited the mispricing, leaving roughly $1.78 million in unhealthy debt.
The pull requests for the affected contracts present a number of commits co-authored by Anthropic’s Claude Opus 4.6, prompting safety auditor Pashov to publicly flag the incident for instance of synthetic intelligence-written or AI-assisted Solidity backfiring.
Chatting with Cointelegraph in regards to the incident, he mentioned that he had linked the case to Claude as a result of there have been a number of commits within the pull requests that have been co-authored by Claude, which means that “the developer was utilizing Claude to jot down the code, and this has led to the vulnerability.”
Pashov cautioned, nevertheless, towards treating the flaw as uniquely AI-driven. He described the oracle subject because the sort of mistake “even a senior Solidity developer may have made,” arguing that the true downside was a scarcity of sufficiently rigorous checks and end-to-end validation.
Initially, he mentioned that he believed there had been no testing or audit in any respect, however later acknowledged that the group mentioned it had unit and integration checks in a separate pull request and had commissioned an audit from Halborn.
In his view, the mispricing “may have been caught with an integration check, a correct one, integrating with the blockchain,” however he declined to criticise different safety companies instantly.
Associated: How South Korea is utilizing AI to detect crypto market manipulation
Small loss, massive governance questions
The greenback quantity of the exploit is small in comparison with a few of DeFi’s largest incidents, such because the Ronin bridge exploit in March 2022, the place attackers stole greater than $600 million, or different nine-figure bridge and lending protocol hacks.
What makes Moonwell notable is the combination of AI co-authorship, a basic-seeming worth configuration failure on a significant asset, and present audits and checks that did not catch it.
Pashov mentioned his personal firm wouldn’t basically change its course of, but when code appeared “vibe coded,” his group would “have a bit extra huge open eyes” and count on a better density of low-hanging points, despite the fact that this specific oracle bug “was not that simple” to identify.
“Vibe coding” vs disciplined AI use
Fraser Edwards, co-founder and CEO of cheqd, a decentralized identification infrastructure supplier, instructed Cointelegraph that the controversy round vibe coding masks “two very completely different interpretations” of how AI is used.
Associated: How AI crypto buying and selling will make and break human roles
On one facet, he mentioned, are non-technical founders prompting AI to generate code they can’t independently assessment; on the opposite, skilled builders utilizing AI to speed up refactors, sample exploration and testing inside a mature engineering course of.
AI-assisted growth “could be beneficial, significantly on the MVP [minimal viable product] stage,” he famous, however “shouldn’t be handled as a shortcut to production-ready infrastructure,” particularly in capital-intensive programs like DeFi.
Edwards argued that every one AI-generated good contract code ought to be handled as untrusted enter, topic to strict model management, clear code possession, multi-person peer assessment and superior testing, particularly round high-risk areas similar to entry controls, oracle and pricing logic, and improve mechanisms.
“In the end, accountable AI integration comes right down to governance and self-discipline,” he mentioned, with clear assessment gates, separation between code technology and validation, and an assumption that any contract deployed in an adversarial atmosphere might include latent threat.
Journal: South Korea will get wealthy from crypto… North Korea will get weapons
