Moonwell: Oracle Misconfiguration (Missing ETH/USD Multiplier)

Summary #

Moonwell suffered a Lending / Money Market on 2026-02-15, resulting in a loss of approximately $2M.

What happened #

A Moonwell governance upgrade co-authored by Claude Opus 4.6 deployed a cbETH oracle missing a single multiplication, pricing a $2,200 asset at $1.12 — liquidation bots seized 1,096 cbETH within 4 minutes, leaving $1.78M in bad debt.

Linked factors #

• RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited configuration (governance parameter)]
• RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — Chainlink OEV oracle wrappers newly deployed via MIP-X43]
• RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
• RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly (Y/N): Y — cbETH price dropped from ~$2,200 to $1.12 immediately on oracle activation]
• RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — governance proposal execution directly caused the exploit]
• RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Compound V2 fork]
• RD-F-127 — related : Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Yes — Compound V2 fork]
• RD-F-172 — causal : Repo shows AI-tool co-authorship in critical files (Cat 12) [via cross-hack: Factor 63: AI-Coauthored Code in Security-Critical Components]
• RD-F-173 — related : Team self-disclosure of AI-generated Solidity [via cross-hack: Factor 63: AI-Coauthored Code in Security-Critical Components]