An attacker spent about $1,800 on MFAM to push a malicious Moonwell proposal that could seize control of seven markets and $1.08m in assets, testing its veto and governance defenses.
Summary
- An unknown attacker spent just $1,800 to acquire 40 million MFAM tokens and push a malicious governance proposal through quorum in roughly 11 minutes on Moonwell’s Moonriver deployment.
- The proposal, if executed, would transfer admin control of seven lending markets, the comptroller, and the oracle to an attacker-controlled contract, exposing approximately $1.08 million in user funds.
- Moonwell retains an emergency veto mechanism — the “Break Glass Guardian” multisig — and a majority of subsequent votes have opposed the proposal ahead of the March 27 deadline.
An unknown attacker on March 26 spent approximately $1,800 to acquire around 40 million MFAM tokens and ram through a malicious governance proposal on Moonwell’s Moonriver deployment — completing the entire sequence in roughly 11 minutes and placing approximately $1.08 million in user funds at risk.
As reported by The Block, the attacker’s proposal, listed as MIP-R39, seeks to transfer administrative rights over seven lending markets, the comptroller contract, and the price oracle to a contract under the attacker’s control. Gaining that access would effectively allow the attacker to drain the protocol’s pools at will. Moonwell is a DeFi lending protocol operating on Moonbeam and Moonriver, two parachains within the Polkadot ecosystem, where users deposit assets to earn yield or borrow against collateral.
The exploit targets a structural weakness endemic to token-based governance: when a protocol’s governance token trades at depressed prices and voter participation is thin, a bad actor can acquire enough voting weight to pass proposals with relatively little capital. That dynamic is precisely what made the attack possible — $1,800 worth of MFAM was enough to hit quorum and lock in a favorable vote before meaningful opposition could mobilize.
Two fail-safes remain in play
Voting on the proposal remains open until March 27. While it reached quorum quickly, the majority of cast votes are now opposed. The final result still hinges on any remaining undeclared voting power. Separately, Moonwell maintains an emergency multisig mechanism known as the “Break Glass Guardian,” which can override the governance process and revoke the attacker’s access before execution regardless of the vote outcome.
The incident is the second major security failure to hit Moonwell in a matter of weeks. In February, the protocol suffered a previous exploit when a faulty oracle — reportedly co-authored using the AI model Claude Opus 4.6 — mispriced Coinbase Wrapped ETH (cbETH) at near $1 instead of its actual market value of roughly $2,200, generating approximately $1.78 million in bad debt.
A recurring vulnerability across DeFi
Governance attacks are not new to decentralized finance, but they continue to expose the tension between open participation and protocol security. The 2022 Beanstalk flash loan attack remains the most dramatic example of the vector, with an attacker draining over $180 million by using a flash loan to temporarily accumulate sufficient voting power to pass a fraudulent proposal in a single transaction. Compound Finance and the now-defunct Swerve Finance have also faced similar contested governance episodes driven by concentrated token accumulation.
What distinguishes the Moonwell case is the raw cost efficiency. There were no flash loans required — just a modest open-market purchase on a low-liquidity token, and a governance system that lacked the circuit breakers to slow down a hostile proposal.
The Moonwell community and team are now racing against the March 27 vote deadline. The outcome will test whether the Break Glass Guardian mechanism and organic voter opposition can neutralize the threat before the proposal reaches execution.
