An attacker spent about $1,800 on MFAM to push a malicious Moonwell proposal that might seize management of seven markets and $1.08m in belongings, testing its veto and governance defenses.
Abstract
- An unknown attacker spent simply $1,800 to amass 40 million MFAM tokens and push a malicious governance proposal by way of quorum in roughly 11 minutes on Moonwell’s Moonriver deployment.
- The proposal, if executed, would switch admin management of seven lending markets, the comptroller, and the oracle to an attacker-controlled contract, exposing roughly $1.08 million in person funds.
- Moonwell retains an emergency veto mechanism — the “Break Glass Guardian” multisig — and a majority of subsequent votes have opposed the proposal forward of the March 27 deadline.
An unknown attacker on March 26 spent roughly $1,800 to amass round 40 million MFAM tokens and ram by way of a malicious governance proposal on Moonwell’s Moonriver deployment — finishing the whole sequence in roughly 11 minutes and putting roughly $1.08 million in person funds in danger.
As reported by The Block, the attacker’s proposal, listed as MIP-R39, seeks to switch administrative rights over seven lending markets, the comptroller contract, and the value oracle to a contract beneath the attacker’s management. Gaining that entry would successfully enable the attacker to empty the protocol’s swimming pools at will. Moonwell is a DeFi lending protocol working on Moonbeam and Moonriver, two parachains inside the Polkadot ecosystem, the place customers deposit belongings to earn yield or borrow towards collateral.
The exploit targets a structural weak point endemic to token-based governance: when a protocol’s governance token trades at depressed costs and voter participation is skinny, a foul actor can purchase sufficient voting weight to go proposals with comparatively little capital. That dynamic is exactly what made the assault doable — $1,800 value of MFAM was sufficient to hit quorum and lock in a positive vote earlier than significant opposition may mobilize.
Two fail-safes stay in play
Voting on the proposal stays open till March 27. Whereas it reached quorum shortly, the vast majority of forged votes at the moment are opposed. The ultimate consequence nonetheless hinges on any remaining undeclared voting energy. Individually, Moonwell maintains an emergency multisig mechanism referred to as the “Break Glass Guardian,” which might override the governance course of and revoke the attacker’s entry earlier than execution whatever the vote consequence.
The incident is the second main safety failure to hit Moonwell in a matter of weeks. In February, the protocol suffered a earlier exploit when a defective oracle — reportedly co-authored utilizing the AI mannequin Claude Opus 4.6 — mispriced Coinbase Wrapped ETH (cbETH) at close to $1 as an alternative of its precise market worth of roughly $2,200, producing roughly $1.78 million in unhealthy debt.
A recurring vulnerability throughout DeFi
Governance assaults aren’t new to decentralized finance, however they proceed to show the stress between open participation and protocol safety. The 2022 Beanstalk flash mortgage assault stays essentially the most dramatic instance of the vector, with an attacker draining over $180 million through the use of a flash mortgage to quickly accumulate ample voting energy to go a fraudulent proposal in a single transaction. Compound Finance and the now-defunct Swerve Finance have additionally confronted comparable contested governance episodes pushed by concentrated token accumulation.
What distinguishes the Moonwell case is the uncooked value effectivity. There have been no flash loans required — only a modest open-market buy on a low-liquidity token, and a governance system that lacked the circuit breakers to decelerate a hostile proposal.
The Moonwell group and crew at the moment are racing towards the March 27 vote deadline. The end result will check whether or not the Break Glass Guardian mechanism and natural voter opposition can neutralize the risk earlier than the proposal reaches execution.
