coin-img-ETHETH-5.45%coin-img-BTCBTC-3.05%coin-img-SOLSOL-5.88%coin-img-BPBP-17.86%coin-img-SAIMSAIM-97.94%coin-img-AGQAGQ-39.47%coin-img-LUCKLUCK+62.24%coin-img-XRPXRP-4.11%coin-img-ETHETH-5.45%coin-img-BTCBTC-3.05%coin-img-SOLSOL-5.88%coin-img-BPBP-17.86%coin-img-SAIMSAIM-97.94%coin-img-AGQAGQ-39.47%coin-img-LUCKLUCK+62.24%coin-img-XRPXRP-4.11%coin-img-ETHETH-5.45%coin-img-BTCBTC-3.05%coin-img-SOLSOL-5.88%coin-img-BPBP-17.86%coin-img-SAIMSAIM-97.94%coin-img-AGQAGQ-39.47%coin-img-LUCKLUCK+62.24%coin-img-XRPXRP-4.11%coin-img-ETHETH-5.45%coin-img-BTCBTC-3.05%coin-img-SOLSOL-5.88%coin-img-BPBP-17.86%coin-img-SAIMSAIM-97.94%coin-img-AGQAGQ-39.47%coin-img-LUCKLUCK+62.24%coin-img-XRPXRP-4.11%

Attacker Spends $1,808 to Table Moonwell Governance Proposal Seeking Full Control

An attacker spent just 11 minutes and $1,808 to submit a governance proposal that, if approved, would effectively hand over the entire Moonwell protocol. Moonwell is a multichain lending protocol serving the Moonbeam and Moonriver ecosystems, with about $85 million in total value locked, according to DefiLlama. Moonbeam is a Polkadot parachain, while Moonriver is the corresponding network on Kusama, Polkadot's developer network. Blockchain intelligence firm Blockful said the proposal would grant the exploiter control over critical parts of the protocol, including its seven markets and the core smart contract, and could enable the theft of more than $1 million in user funds. Voting closes Friday. Holders of Moonwell's governance token, MFAM, can still vote to defeat the proposal. As of Thursday, onchain voting data shows 68% of votes cast are against it. Blockful cautioned that the attacker may control additional, unidentified MFAM-holding wallets that could be deployed later. Blockful urged Moonwell's multisig signers to use a defensive measure known as the "Break Glass Guardian" to move admin authority away from the attacker, citing forum posts. "Since the attacker can still have hidden wallets, ready to vote in the last block in case of opposition, we recommend the core team use the Guardian to guarantee user funds are safe," the firm wrote Thursday. The episode adds to a growing list of governance flashpoints in DeFi. In 2024, a group of Compound Finance investors led by the pseudonymous user Humpy amassed enough governance tokens to advance a proposal that would have moved about $24 million from the protocol's treasury into a private vault. Humpy later reached a truce and returned the tokens. More recently, a dispute inside the Aave community highlighted questions around what a DAO actually controls after it emerged in December that fees from an integration with the decentralised exchange CoW Swap were being routed directly to Aave Labs without DAO approval. Moonwell's case underscores another vulnerability: governance influence acquired with low-cost tokens. Blockful's analysis says the attacker bought 40 million MFAM to submit the proposal and then voted it past quorum. With MFAM priced at $0.000025 before the purchase, the attacker spent roughly $1,800 to submit "MIPR39: Protocol Recovery Admin Migration" on Tuesday. The tokens were acquired via a smart contract. Blockful said the purchasing contract also included malicious code designed to automate the steps required to drain protocol liquidity. "This proposal is clearly an attack," the firm wrote Wednesday. "The proposal contract that will get ownership of the markets in case this proposal gets executed already includes the transactions necessary to exploit them." Neither Blockful nor Moonwell immediately responded to requests for comment. Liam Kelly is DL News' Berlin-based DeFi correspondent. Tips: liam@dlnews.com.
Selected
DOT
DOT-5.54%
KSM
KSM-2.93%
Disclaimer: The content above is only the author's opinion and does not represent BingX’s stance. It shall not be construed as investment advice from BingX. For details, refer to the Terms and Conditions.