An attacker spent about $1,800 on MFAM to push a malicious Moonwell proposal that would seize management of seven markets and $1.08m in property, testing its veto and governance defenses.
Abstract
- An unknown attacker spent simply $1,800 to amass 40 million MFAM tokens and push a malicious governance proposal by quorum in roughly 11 minutes on Moonwell’s Moonriver deployment.
- The proposal, if executed, would switch admin management of seven lending markets, the comptroller, and the oracle to an attacker-controlled contract, exposing roughly $1.08 million in consumer funds.
- Moonwell retains an emergency veto mechanism — the “Break Glass Guardian” multisig — and a majority of subsequent votes have opposed the proposal forward of the March 27 deadline.
An unknown attacker on March 26 spent roughly $1,800 to amass round 40 million MFAM tokens and ram by a malicious governance proposal on Moonwell’s Moonriver deployment — finishing your entire sequence in roughly 11 minutes and inserting roughly $1.08 million in consumer funds in danger.
As reported by The Block, the attacker’s proposal, listed as MIP-R39, seeks to switch administrative rights over seven lending markets, the comptroller contract, and the worth oracle to a contract beneath the attacker’s management. Gaining that entry would successfully enable the attacker to empty the protocol’s swimming pools at will. Moonwell is a DeFi lending protocol working on Moonbeam and Moonriver, two parachains throughout the Polkadot ecosystem, the place customers deposit property to earn yield or borrow in opposition to collateral.
The exploit targets a structural weak point endemic to token-based governance: when a protocol’s governance token trades at depressed costs and voter participation is skinny, a nasty actor can purchase sufficient voting weight to cross proposals with comparatively little capital. That dynamic is exactly what made the assault attainable — $1,800 value of MFAM was sufficient to hit quorum and lock in a positive vote earlier than significant opposition might mobilize.
Two fail-safes stay in play
Voting on the proposal stays open till March 27. Whereas it reached quorum shortly, nearly all of forged votes at the moment are opposed. The ultimate outcome nonetheless hinges on any remaining undeclared voting energy. Individually, Moonwell maintains an emergency multisig mechanism generally known as the “Break Glass Guardian,” which may override the governance course of and revoke the attacker’s entry earlier than execution whatever the vote final result.
The incident is the second main safety failure to hit Moonwell in a matter of weeks. In February, the protocol suffered a earlier exploit when a defective oracle — reportedly co-authored utilizing the AI mannequin Claude Opus 4.6 — mispriced Coinbase Wrapped ETH (cbETH) at close to $1 as an alternative of its precise market worth of roughly $2,200, producing roughly $1.78 million in unhealthy debt.
A recurring vulnerability throughout DeFi
Governance assaults are usually not new to decentralized finance, however they proceed to reveal the strain between open participation and protocol safety. The 2022 Beanstalk flash mortgage assault stays essentially the most dramatic instance of the vector, with an attacker draining over $180 million through the use of a flash mortgage to briefly accumulate enough voting energy to cross a fraudulent proposal in a single transaction. Compound Finance and the now-defunct Swerve Finance have additionally confronted comparable contested governance episodes pushed by concentrated token accumulation.
What distinguishes the Moonwell case is the uncooked value effectivity. There have been no flash loans required — only a modest open-market buy on a low-liquidity token, and a governance system that lacked the circuit breakers to decelerate a hostile proposal.
The Moonwell group and workforce at the moment are racing in opposition to the March 27 vote deadline. The result will check whether or not the Break Glass Guardian mechanism and natural voter opposition can neutralize the menace earlier than the proposal reaches execution.