Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 263Oracle Manipulation

Moonwell Oracle Decimals Mismatch

~$1.78M drained from Moonwell on Base after a newly listed market used a price feed with a decimals mismatch, mis-valuing collateral so attackers borrowed out.

Date
Victim
Moonwell
Chain(s)
Base
Status
Partially Recovered

In February 2026, the Base lending protocol Moonwell lost approximately $1.78 million when a newly-listed market's price feed had a decimals mismatch, mis-valuing the collateral and letting an attacker borrow out the market against an inflated valuation.

What happened

A new Moonwell market used an oracle whose decimal scaling did not match the protocol's assumption (the Vee Finance / Aevo decimals-mismatch class). The mis-scaled price over-valued collateral; the attacker borrowed the market dry.

Aftermath

  • Market paused; partial recovery; Moonwell core unaffected.

Why it matters

Moonwell is a 2026 restatement of the decimals-mismatch on new-market listing failure. It pairs with the catalogue's other recurring new-listing hazards (donation attacks, manipulable oracles) under one meta-lesson: listing a new collateral asset is one of the highest-risk operations a lending protocol performs, because it introduces a fresh price-feed integration that bypasses all the scrutiny the existing markets accumulated. The defensive answer is process, not code: a hardened, checklist-enforced, independently-reviewed listing pipeline — exactly what Ionic Money lacked when it listed a fake LBTC.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-moonwell-incident-february-2026
  2. [02]rekt.newshttps://rekt.news/moonwell-rekt

Related filings