Chainlink oracle glitch costs Moonwell $1M as DeFi suffers another exploit

Key Takeaways

What caused the Moonwell exploit?

A Chainlink oracle price feed malfunction incorrectly valued 0.02 wrstETH (worth pennies) at millions, allowing an attacker to drain funds before the protocol could respond.

How does this relate to other recent DeFi hacks?

Moonwell’s loss came just 24 hours after Balancer’s $128M exploit and marks Moonwell’s fourth major hack in three years.

DeFi suffered its worst start to a month in a long time as two major protocols lost $129 million in 48 hours. 

A Chainlink oracle malfunction enabled a $1 million Moonwell exploit on 4 November, just one day after hackers drained $128 million from Balancer across six blockchains.

The Chainlink oracle exploit

An attacker exploited Moonwell’s lending protocol on Base using a sophisticated oracle manipulation attack. The hacker flashloaned approximately 0.02 wrstETH, worth mere pennies, and deposited it as collateral.

However, a Chainlink oracle price feed temporarily malfunctioned, valuing this tiny collateral at $5.8 million. The protocol accepted the inflated valuation.

The attacker immediately borrowed over 20 wstETH against the artificially valued collateral.

Source: CertiK

The exploit was repeated seven times within three hours, and each cycle netted approximately 24.5-24.9 ETH.

The attacker executed everything within single blocks, avoiding liquidation mechanisms, and made a total profit of 292 ETH [around $1.01 million].

CertiK detected the exploit and confirmed that the oracle pricing error enabled the attack. The incident highlights the risks of infrastructure dependency in DeFi lending protocols, although Chainlink’s core oracle network remained secure throughout.

TVL crashes, token plummets

Analysis of DefiLlama data revealed that Moonwell’s Total Value Locked [TVL] collapsed from $268 million to $213 million, a $55 million exodus in just hours. 

Source: DefiLlama

Additionally, the WELL token declined by over 12% to trade at approximately $0.012, while the broader cryptocurrency market decreased by more than 1%.

A troubling pattern

This marks Moonwell’s fourth major security incident in three years, according to reports. 

December 2024 saw a $320,000 flash loan exploit, and on 10 October 2025, a $1.7 million oracle incident occurred. Now, on 4 November, another $1 million loss is added, just 24 days after the previous one.

Most troubling: Moonwell removed its Immunefi bug bounty program in February 2025, months before suffering two exploits totaling $2.7 million.

The decision eliminated financial incentives for security researchers to find vulnerabilities before attackers did.

DeFi’s $129M week

The Moonwell exploit capped a devastating 48-hour period for DeFi. 

Balancer lost $128 million on 3 November when hackers exploited access control vulnerabilities across Ethereum, Arbitrum, Base, Optimism, Polygon, and Sonic. Berachain halted its entire network for an emergency hard fork.

Combined losses exceed $129 million across two protocols in two days. Both exploits exposed different vulnerabilities; Balancer suffered from faulty access controls, while Moonwell fell victim to oracle infrastructure issues.

This week’s carnage shows that even established protocols remain vulnerable to sophisticated attacks targeting infrastructure dependencies and protocol-level weaknesses.