Moonwell, a decentralized finance (DeFi) lending protocol deployed on Base and Optimism, was exploited for approximately $1.78 million after the price oracle for Coinbase Wrapped Staked ETH (cbETH) returned a value of approximately $1.12 instead of $2,200, creating a mispricing that attackers could exploit for profit.
Moonwell he said following a post-mortem that found that the governance proposal made on Sunday misconfigured the cbETH oracle using only the cbETH/ETH exchange rate, which caused the system to report cbETH at around $1.12. The minutes said liquidation bots and opportunistic borrowers took advantage of the mispricing, leaving approximately $1.78 million in bad debt.
The pull requests affected contracts show multiple commits co-authored by Anthropic’s Claude Opus 4.6, prompting security auditor Pashov to go public flag incident as an example of the backfire of AI-written or AI-powered Solidity.
Speaking to Cointelegraph about the incident, he said he linked the case to Claude because there were multiple commits in the pull requests Claude co-authored, meaning that “the developer was using Claude to write code, which led to the vulnerability.”
However, Pashov cautioned against treating this vulnerability as solely based on artificial intelligence. He described the Oracle issue as a mistake that “even a senior Solidity developer could have made,” arguing that the real problem was a lack of sufficiently exacting checks and comprehensive validation.
He initially stated that he believed no testing or audit had been performed at all, but later admitted that the team had stated that they had placed the unit and integration tests in a separate pull request and had outsourced the audit to Halborn.
He said the mispricing “could have been detected by an integration test, a proper one, involving integration with the blockchain,” but he declined to directly criticize other security companies.
Related: How South Korea uses artificial intelligence to detect manipulation in the cryptocurrency market
Small loss, substantial management questions
The dollar value of the exploit is minuscule compared to some of the biggest DeFi incidents, such as the March 2022 Ronin Bridge exploit in which attackers stole over $600 million, or other nine-figure breaches of bridges and lending protocols.
What sets Moonwell apart is a combination of AI co-authorship, a seemingly uncomplicated error in the price configuration of a major resource, and existing audits and tests that failed to detect it.
Pashov said his own company wouldn’t fundamentally change its process, but if the code appeared to be “vibrate-coded,” his team would “keep their eyes a little wider open” and expect a higher density of low-hanging problems, even though this particular oracle bug “wasn’t that easy” to detect.
“Vibe coding” and the disciplined utilize of artificial intelligence
Fraser Edwards, co-founder and CEO of decentralized identity infrastructure provider cheqd, told Cointelegraph that the vibration coding debate masks “two very different interpretations” of how AI will be used.
Related: How AI cryptocurrency trading will make and break human roles
On the one hand, he said, non-technical founders encourage AI to generate code they can’t independently check; on the other hand, experienced developers using AI to accelerate refactoring, pattern mining and testing as part of a mature engineering process.
AI-powered development “can be valuable, especially for MVPs [minimal viable product] stage,” he noted, but “should not be considered a shortcut to production-ready infrastructure,” especially in capital-intensive systems like DeFi.
Edwards argued that all AI-generated sharp contract code should be treated as untrusted input, subject to strict version control, clear code ownership, multi-person peer review and advanced testing, particularly in high-risk areas such as access control, Oracle and pricing logic, and update mechanisms.
“Ultimately, responsible AI integration comes down to governance and discipline,” he said, specifying clear review gates, separation of code generation from validation, and the assumption that any contract implemented in an adversarial environment may have hidden risks.
Warehouse: South Korea is getting affluent on cryptocurrencies… North Korea is acquiring weapons
