TLDR
- An attacker spent about $1,800 to buy roughly 40 million MFAM and push a Moonwell proposal.
- The proposal could transfer control of seven lending markets, the comptroller, and the oracle.
- Onchain observers said about $1.08 million in user funds could be exposed if the proposal executes.
- The token buy, proposal filing, and quorum vote reportedly took about 11 minutes on Moonriver.
- Token holders or Moonwell’s “Break Glass Guardian” can still block the proposal before execution.
DeFi lender Moonwell is facing a governance attack on its Moonriver deployment after a low-cost vote push threatened user funds. The incident centers on governance, which controls protocol changes through token voting. The case has drawn attention because the reported entry cost was small and the target pool was large.
Onchain observers said an attacker spent about $1,800 on MFAM and put roughly $1.08 million at risk. The proposal would hand over admin control of key contracts. That could allow funds to be drained if it executes. The vote remains open until March 27, and final tallies will decide whether the proposal reaches execution.
Attack moved from token buy to quorum in 11 minutes
The reported sequence moved fast. The attacker bought tokens, created a proposal, and pushed it past quorum in about 11 minutes. Moonwell operates on Moonbeam and Moonriver within the Polkadot ecosystem.
It lets users deposit assets, earn yield, and borrow against collateral. The speed left little time for a normal response at the start of voting.
Observers said the plan targets seven lending markets, the comptroller, and the oracle. Those systems help run Moonwell’s lending activity on Moonriver. The proposal is active on Moonwell’s Moonriver deployment.
The active proposal would move authority away from existing controls. If executed, control would move to a contract linked to the attacker. That contract could enable a full fund withdrawal.
Thin liquidity opened a path to voting control
The attack relied on thin liquidity and concentrated voting power. That let a small purchase control a large share of governance. Moonwell uses MFAM as the voting token on Moonriver, and low participation can leave proposals easier to sway.
Low turnout can make such setups easier to exploit. The case shows how uneven token distribution can shape governance results.
The attacker reportedly bought about 40 million MFAM tokens. Early tallies reached quorum quickly, but later voting turned the majority against the measure. A later swing in voting has reduced the attacker’s lead.
The vote remains open until March 27, so the final result still depends on late participation. Governance rules also leave room for undeclared voting power to matter. Final tallies, and any silent holders, could still decide the outcome.
Moonwell still has two ways to stop execution
Token holders can still outvote the proposal before the deadline. An emergency multisig can also step in and block execution. Moonwell refers to that backstop as the “Break Glass Guardian” in its response options.
Both options must work before the proposal can be executed. Two routes remain before any proposal execution step begins.
The attack comes after Moonwell reported $1.8 million in bad debt earlier this year. That loss was tied to a faulty cbETH oracle setting in February. Similar governance attacks have hit DeFi before, including Beanstalk in 2022 and disputes at Compound and Swerve.
Beanstalk lost more than $180 million in a flash loan governance attack in 2022. That earlier loss and the current vote have put Moonwell under added scrutiny.
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
