Moonwell cbETH Oracle Incident — Mispriced Collateral Enables Near-Free Liquidation

Source & credit. Exploit reproduction, trace data, and analysis adapted from DeFiHackLabs by SunWeb3Sec — an open registry of reproduced on-chain exploits. Standalone Foundry PoC and full write-up: 2026-02-Moonwell_exp in the evm-hack-registry mirror. Upstream DeFiHackLabs PoC: src/test/…/Moonwell_exp.sol.

Vulnerability classes: vuln/oracle/stale-price · vuln/oracle/missing-validation

One faulty Chainlink cbETH/USD round priced cbETH at $1.12 instead of ~$2,272. Moonwell's ChainlinkOracle had no deviation/sanity bound, so every cbETH-collateralised position instantly showed a huge "shortfall." A liquidator repaid 0.1299 WETH (~$255) and legally seized 242.68 cbETH (~$551K of value) — and the same mechanic produced ~$1.78M of protocol-wide bad debt.

Reproduction: the PoC compiles & runs in an isolated Foundry project at this project folder. Full verbose trace: output.txt. Verified vulnerable source: ChainlinkOracle, ChainlinkOEVWrapper, Comptroller seize math.

Key info#

TL;DR#

Moonwell (a Compound-v2 fork on Base) values collateral and debt for liquidations through its ChainlinkOracle. For cbETH that oracle reads a ChainlinkOEVWrapper, which in turn reads the Chainlink cbETH/USD aggregator. During this incident the underlying aggregator returned a grossly wrong answer — 1122662744874806300 = $1.1227 — while WETH was correctly $1,965.58. The real cbETH price was ≈ $2,272 (cbETH trades at a small premium to ETH).

Moonwell's oracle has no sanity bound: it only requires answer > 0. So the $1.12 price flowed straight into the Comptroller's seize formula (liquidateCalculateSeizeTokens):

seizeTokens = repayAmount × (liquidationIncentive × priceBorrowed) / (priceCollateral × exchangeRate)

With priceCollateral (cbETH) ≈ 2,024× too small, the seize amount is ≈ 2,024× too large. Every cbETH-collateralised borrower also instantly showed a massive account "shortfall," making them liquidatable. The attacker:

1. Flash-borrows 0.129906 WETH from an Aerodrome CL pool.
2. Calls mWETH.liquidateBorrow(victim, 0.1299 WETH, mcbETH) — repaying ~$255 of the victim's 2,227.59 WETH debt and seizing essentially the victim's entire cbETH position (1,245,281,245,597 mcbETH).
3. Redeems the seized mcbETH for 242.68 cbETH.
4. Swaps 242.68 cbETH → 272.43 WETH on Aerodrome.
5. Repays the flash loan (0.12991798 WETH) and keeps 272.296 WETH (≈ $535K at the trace's true ~$1,965/ETH WETH price).

The repay was sized so that the seized collateral (1,245,281,245,597) was just under the victim's mcbETH balance (1,245,405,786,250) — i.e. drain the position to the wei.

Background — what Moonwell is#

Moonwell is an over-collateralised lending market on Base, forked from Compound v2 / Benqi:

• Users supply assets to mToken markets (mWETH, mcbETH, mUSDC, …) and may borrow against them.
• The Comptroller (behind the Unitroller proxy) enforces collateral factors, decides who is liquidatable (getAccountLiquidity), and computes how much collateral a liquidator seizes (liquidateCalculateSeizeTokens).
• All USD pricing comes from a single PriceOracle — here the ChainlinkOracle at 0xEC942b…. For each market it looks up a Chainlink feed by the underlying token's symbol string (e.g. "cbETH").
• For some assets the configured "feed" is not a raw Chainlink aggregator but a ChainlinkOEVWrapper — Moonwell's mechanism to capture Oracle-Extractable-Value: it deliberately serves the previous round's price unless a liquidator has paid to "unlock" the fresh round.

The liquidation path is the standard Compound flow: mWETH.liquidateBorrow → liquidateBorrowFresh → Comptroller.liquidateBorrowAllowed (checks shortfall + close factor) → Comptroller.liquidateCalculateSeizeTokens (computes seized collateral) → mcbETH.seize.

The vulnerable code#

1. The oracle accepts any positive answer — no deviation / sanity bound#

ChainlinkOracle.getChainlinkPrice:

function getChainlinkPrice(AggregatorV3Interface feed) internal view returns (uint256) {
    (, int256 answer, , uint256 updatedAt, ) = AggregatorV3Interface(feed).latestRoundData();
    require(answer > 0, "Chainlink price cannot be lower than 0");   // ← only guard
    require(updatedAt != 0, "Round is in incompleted state");
    uint256 decimalDelta = uint256(18).sub(feed.decimals());
    if (decimalDelta > 0) { return uint256(answer).mul(10 ** decimalDelta); }
    else { return uint256(answer); }
}

There is no minimum/maximum price band, no deviation-vs-previous-round check, no cross-feed/exchange-rate sanity check, and no max-staleness window (it never compares updatedAt to block.timestamp). A $1.12 cbETH answer — a ~99.95% drop that no correct cbETH feed could ever produce — is accepted as a valid collateral price.

2. The OEV wrapper has the same weak validation#

ChainlinkOEVWrapper._validateRoundData:

function _validateRoundData(uint80 roundId, int256 answer, uint256 updatedAt, uint80 answeredInRound)
    internal pure {
    require(answer > 0, "Chainlink price cannot be lower or equal to 0");
    require(updatedAt != 0, "Round is in incompleted state");
    require(answeredInRound >= roundId, "Stale price");
}

Same story — sign, completeness, and round monotonicity only. The wrapper additionally serves the previous round unless the current round was paid for, which can extend the lifetime of a bad round but adds no value sanity-check.

In the trace the wrapper's latestRoundData() returns the underlying aggregator answer 1122662744874806300 ($1.1227) at updatedAt = 1771164149 — see output.txt:2164-2180.

3. The seize formula divides by the (mispriced) collateral price#

Comptroller.liquidateCalculateSeizeTokens:

uint priceBorrowedMantissa   = oracle.getUnderlyingPrice(MToken(mTokenBorrowed));   // WETH = 1965.58e18
uint priceCollateralMantissa = oracle.getUnderlyingPrice(MToken(mTokenCollateral)); // cbETH = 1.1227e18  ⚠️
...
numerator   = liquidationIncentiveMantissa × priceBorrowedMantissa;
denominator = priceCollateralMantissa × exchangeRateMantissa;       // ⚠️ ~2000× too small
ratio       = numerator / denominator;
seizeTokens = ratio × actualRepayAmount;                            // ⚠️ ~2000× too many cbETH seized

Because priceCollateral is artificially ≈ 2,024× too small, the liquidator seizes ≈ 2,024× the collateral they should for a given repay — i.e. they buy cbETH for ~1/2000th of its real value.

4. The liquidation gate also keys off the same bad price#

Comptroller.liquidateBorrowAllowed only requires shortfall > 0. With cbETH collateral valued at $1.12, the victim's account liquidity collapses (borrow ≈ 2,227.59 WETH × $1,965 ≈ $4.38M vs collateral valued at ~$0), so they are reported as deeply underwater and freely liquidatable.

Root cause — why it was possible#

The proximate trigger was a bad Chainlink cbETH/USD round (~$1.12). The reason that off-chain glitch became a $1.78M on-chain loss is a missing oracle integrity layer in Moonwell:

1. No price-deviation / circuit-breaker guard. A correct lending oracle should reject a price that moves >X% from the previous accepted value, or that falls outside a hard min/max band, and should pause/fall-back rather than feed it to liquidations. Moonwell's oracle only checks answer > 0.
2. No cross-feed sanity check for an ETH-correlated LST. cbETH is Coinbase staked-ETH; it can only trade in a narrow band around ETH (the trace's WETH price was a healthy $1,965). A cbETH price of $1.12 vs an ETH price of $1,965 is physically impossible and trivially detectable, yet nothing compared them.
3. No max-staleness window. Neither the oracle nor the OEV wrapper checks updatedAt against block.timestamp; the OEV wrapper can even deliberately serve a stale prior round.
4. Liquidation math is purely price-ratio driven. seizeTokens ∝ 1 / priceCollateral, so a collateral price error is amplified linearly into over-seizure. There is no per-liquidation cap on the fraction of an account's collateral that one undersized repay can take.

Net effect: a single bad oracle round is sufficient to (a) mark every cbETH borrower as liquidatable and (b) let anyone repay dust and walk away with the full collateral — at ~1/2000th of fair value.

Preconditions#

• The Chainlink cbETH/USD feed (via the OEV wrapper) is returning a grossly wrong low answer (here $1.12). This was a real off-chain oracle malfunction during the incident.
• A target account holds cbETH collateral in mcbETH and has any WETH (or other) debt — at the bad price it is reported with shortfall > 0 and is liquidatable. The PoC asserts the exact victim debt mWETH.borrowBalanceCurrent(victim) == 2_227_585_181_466_568_852_543 before proceeding (Moonwell_exp.sol:88).
• A small amount of WETH to perform the liquidation repayment — fully flash-loanable and repaid in the same transaction, so zero capital at risk for the attacker.

Attack walkthrough (ground-truth numbers from the trace)#

All values are taken directly from output.txt. cbETH/mcbETH and WETH are 18-decimal; mcbETH (the receipt token) is 8-decimal.

Why the numbers line up: at the correct prices the repay of 0.1299 WETH (~$255) should seize roughly $255 × 1.10 incentive ÷ $2,272 ≈ 0.123 cbETH. At the bad cbETH price ($1.12) the same repay seizes ≈ 0.123 × ($2,272 / $1.12) ≈ 250 cbETH — matching the 242.68 cbETH actually redeemed (the small gap is the mcbETH→cbETH exchange rate 2.009e26 and the protocol's ~3% seize share). The attacker turns ~$255 of WETH into ~$551K of cbETH.

Profit / loss accounting (WETH terms)#

This single liquidation is one slice of the broader incident; across all cbETH-collateralised positions the protocol absorbed ~$1.78M of bad debt (per the PoC header and MIP-X43).

Diagrams#

Sequence of the attack#

Price / seize-math state evolution#

Where the integrity check is missing#

Why each magic number#

• borrowBalanceCurrent(victim) == 2,227,585,181,466,568,852,543 — the PoC asserts the exact victim debt so the run is pinned to the on-chain state at the fork tx.
• flash 129,906,284,941,311,087 WETH (0.129906) — sized so that the resulting seizeTokens (1,245,281,245,597) is just below the victim's mcbETH balance (1,245,405,786,250); i.e. repay the largest amount that still seizes ≤ 100% of the position (and stays under the close-factor maxClose), draining it to the wei.
• mcbETH.balanceOf(this) == 1,207,922,808,230 — the seized amount net of the protocol's seize share (the seizeTokens minus the 37,358,437,367 added to mcbETH reserves at L2254-L2255).
• swap sqrtPriceLimitX96 = 4_295_128_740 — the Uniswap-V3/Aerodrome min sqrt-price limit (MIN_SQRT_RATIO + 1) for a zeroForOne (cbETH→WETH) swap, i.e. "accept any price."
• amount0Delta == 242_681_146_382_025_215_739 asserted in uniswapV3SwapCallback — the exact cbETH the pool pulls (242.68 cbETH), confirming the redeem produced precisely that.
• repay amount + amount0Delta == 129_917_976_506_955_805 — flash principal 0.129906 + fee 11,691,565,644,718 wei.

Remediation#

1. Add a price-integrity layer to the oracle. Reject any feed answer that (a) deviates more than a configured percentage from the last accepted value, or (b) falls outside a hard min/max band per asset. On violation, revert (pausing liquidations for that market) or fall back to a secondary source — never silently accept it.
2. Enforce staleness. Require block.timestamp - updatedAt <= maxAge in both ChainlinkOracle and ChainlinkOEVWrapper; the current code never compares updatedAt to block.timestamp, and the OEV wrapper can deliberately serve a stale prior round.
3. Cross-check correlated assets. For ETH liquid-staking tokens (cbETH, wstETH, rETH), validate the reported price against the ETH price and the token's known exchange-rate band; a cbETH/ETH ratio of ~0.0006 (here) is physically impossible and should fail closed.
4. Cap per-liquidation collateral seizure. Bound the fraction of an account's collateral one liquidation can take so that a single mispriced round cannot translate a dust repay into full-position seizure; combine with a sane close factor.
5. Use a robust multi-oracle / OEV design. Aggregate Chainlink with at least one independent source and require agreement within tolerance before a price is usable by the Comptroller.

How to reproduce#

The PoC was extracted into a standalone Foundry project (the umbrella DeFiHackLabs repo has other PoCs that don't compile under a whole-project forge build):

_shared/run_poc.sh 2026-02-Moonwell_exp -vvvvv

• RPC: a Base archive endpoint is required (the PoC forks at the exact attack tx). The configured base = https://base-mainnet.public.blastapi.io serves the historical state; resolving the fork at the transaction takes ~14 minutes in this run, so allow a generous timeout.
• Result: [PASS] testExploit() with Attacker After exploit ETH Balance: 272.296….

Expected tail:

Ran 1 test for test/Moonwell_exp.sol:Moonwell_exp
[PASS] testExploit() (gas: 1980812)
  Attacker Before exploit ETH Balance: 0.000000000000000000
  Attacker After exploit ETH Balance: 272.296460164199053306
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 857.14s

Sources downloaded to sources/: ChainlinkOracle (vulnerable), ChainlinkOEVWrapper (cbETH feed), Comptroller + Unitroller (seize math), mWETH / mcbETH delegators, and the cbETH proxy. Full trace in output.txt; PoC in test/Moonwell_exp.sol.

Sources & further analysis#

Reproductions & code

• Standalone PoC + full trace: 2026-02-Moonwell_exp (evm-hack-registry mirror).
• Upstream DeFiHackLabs PoC: Moonwell_exp.sol.

Alerts & third-party analyses

• Original alert / thread: post on X.
• DeFiHackLabs incident explorer: search "Moonwell cbETH Oracle Incident".
• Web3Sec X hacked database: search.
• Rekt leaderboard: search.
• Solodit incident search: search.

These dashboards index community alerts tweets, post-mortems, and independent write-ups. Reach them through the protocol name above to cross-check this reproduction against other analyses.