In November 2025, Moonwell, a DeFi lending protocol, suffered a $1 million hack. The root cause of the incident involved incorrect pricing information for wrapped restaked Ethereum (wrstETH) from the protocol’s price oracle. In addition to stealing about $1 million from the protocol, the attacker also left it with $3.7M in bad debt.
Inside the Attack
Price oracle attacks are nothing new in the DeFi space. Most of the time, this involves a protocol using internal price calculations or a custom oracle to estimate the value of various tokens. This is problematic because flashloans can often be used to manipulate this oracle and report incorrect pricing data. An attacker can then take advantage of the divergence between market and reported prices for the token to drain value from the protocol.
The Moonwell hack is different. The protocol followed best practices for implementing a price oracle, including the use of Chainlink’s off-chain oracle, which is resistant to these types of attacks. However, Chainlink’s oracle erroneously reported that wrstETH was worth about $5.8 million, while ETH, which the asset is designed to track, traded at under $3,500.
The attacker exploited this discrepancy within 30 seconds by depositing 0.02 wrstETH and receiving about $116k in collateral. With this collateral, they were able to take out a flashloan of 20 wstETH. By repeating this process across multiple transactions, the attacker was able to drain a total of 295 ETH.
In the end, the attacker netted about $1 million, while leaving the protocol with about $3.7 million in bad debt. Additionally, the protocol’s WELL governance token fell by 13.5% within a single day.
Lessons Learned from the Attack
The Moonwell hack demonstrates the importance of secure, correct pricing oracles to DeFi security. Since the project relied on a single source of pricing information and didn’t have guardrails in place to identify unrealistic prices — like wrstETH being worth several times more than ETH — an incorrect result from the Chainlink oracle opened up the project to exploitation.
Securing DeFi protocols requires considering the potential for supply chain failures and vulnerabilities and building processes and technical controls to mitigate these risks. Halborn offers advisory services that support teams throughout the entire design and development process, helping them to design and build resilient and secure smart contracts and project ecosystems. To learn more about how Halborn can help to enhance your project’s defenses against these types of issues, get in touch.