- BlockSec Phalcon detects suspicious transactions targeting Moonwell contracts.
- Exploit stems from an incorrectly updated price feed from an off-chain oracle system.
- MEV bot possibly exploited an oracle issue, resulting in losses exceeding $1 million.
On-chain threat detection platform BlockSec Phalcon has identified a series of suspicious transactions targeting Moonwell’s smart contracts. The platform issued an alert regarding the activity on Base and Optimism networks that resulted in losses exceeding $1 million.
BlockSec’s analysis points to an issue with the token price feed for rsETH/ETH from the off-chain oracle. The exploit appears to have been carried out, possibly by a MEV bot that took advantage of incorrectly updated price data used by the protocol.
Oracle Manipulation Enables Fund Extraction
The attack exploited a vulnerability in how the protocol received and processed price information from external data sources. When the rsETH/ETH price feed failed to update correctly, the discrepancy between actual market prices and protocol prices created an arbitrage opportunity.
MEV bots typically scan blockchain networks for profitable opportunities, including price discrepancies across protocols. In this case, the bot appears to have identified the oracle malfunction and executed transactions to extract value before the issue could be corrected.
BlockSec noted that no direct contact method was available to reach the project team immediately. The platform requested that anyone with questions or relevant information reach out directly to them for coordination.
The Moonwell incident follows a larger exploit targeting the Balancer protocol on November 3, 2025. That attack resulted in losses exceeding $70 million, making it one of the most damaging recent breaches in decentralized finance.
Balancer Suffers $110M in Rapid Drainage
Attackers compromised Balancer by quickly siphoning funds from multiple liquidity pools. The hackers consolidated stolen assets into a newly created wallet within minutes of initiating the attack.
Confirmed stolen assets from the Balancer breach included 6,850 OSETH, 6,590 WETH, and 4,260 wSTETH. The speed of the attack and consolidation suggests sophisticated planning and execution by the attackers.
Oracle vulnerabilities have become an increasing concern for DeFi protocols relying on external price feeds. These systems depend on accurate real-time data to function properly, and any manipulation or failure in the oracle mechanism can create exploitable conditions.
The incidents highlight ongoing security challenges facing decentralized finance platforms. Despite advances in smart contract security, oracle dependencies and price feed mechanisms remain potential attack vectors that require constant monitoring and robust failsafe systems.
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
