\n
![](\"https:\/\/media.crypto.news\/2025\/08\/crypto-news-parthership-TradFi-DeFi-option013.webp\")
<\/p>\n
\n<\/p>\n
An attacker spent about $1,800 on MFAM to push a malicious Moonwell proposal that could seize control of seven markets and $1.08m in assets, testing its veto and governance defenses.<\/p>\n \n Summary<\/span>\n <\/p>\n <\/p>\n An unknown attacker on March 26 spent approximately $1,800 to acquire around 40 million\u00a0MFAM<\/a>\u00a0tokens and ram through a malicious governance proposal on Moonwell\u2019s Moonriver deployment \u2014 completing the entire sequence in roughly 11 minutes and placing approximately $1.08 million in user funds at risk.<\/p>\n As reported by\u00a0The Block<\/a>, the attacker\u2019s proposal, listed as MIP-R39, seeks to transfer administrative rights over seven lending markets, the comptroller contract, and the price oracle to a contract under the attacker\u2019s control. Gaining that access would effectively allow the attacker to drain the protocol\u2019s pools at will. Moonwell is a DeFi lending protocol operating on Moonbeam and Moonriver, two parachains within the Polkadot ecosystem, where users deposit assets to earn yield or borrow against collateral.<\/p>\n The exploit targets a structural weakness endemic to token-based governance: when a protocol\u2019s governance token trades at depressed prices and voter participation is thin, a bad actor can acquire enough voting weight to pass proposals with relatively little capital. That dynamic is precisely what made the attack possible \u2014 $1,800 worth of\u00a0MFAM<\/a>\u00a0was enough to hit quorum and lock in a favorable vote before meaningful opposition could mobilize.<\/p>\n Voting on the proposal remains open until March 27. While it reached quorum quickly, the majority of cast votes are now opposed. The final result still hinges on any remaining undeclared voting power. Separately, Moonwell maintains an emergency multisig mechanism known as the \u201cBreak Glass Guardian,\u201d which can override the governance process and revoke the attacker\u2019s access before execution regardless of the vote outcome.<\/p>\n <\/p>\n The incident is the second major security failure to hit Moonwell in a matter of weeks. In February, the protocol suffered a previous\u00a0exploit<\/a>\u00a0when a faulty oracle \u2014 reportedly co-authored using the AI model Claude Opus 4.6 \u2014 mispriced Coinbase Wrapped ETH (cbETH) at near $1 instead of its actual market value of roughly $2,200, generating approximately $1.78 million in bad debt.<\/p>\n Governance attacks are not new to decentralized finance, but they continue to expose the tension between open participation and protocol security. The 2022\u00a0Beanstalk<\/a>\u00a0flash loan attack remains the most dramatic example of the vector, with an attacker draining over $180 million by using a flash loan to temporarily accumulate sufficient voting power to pass a fraudulent proposal in a single transaction. Compound Finance and the now-defunct Swerve Finance have also faced similar contested governance episodes driven by concentrated token accumulation.<\/p>\n What distinguishes the Moonwell case is the raw cost efficiency. There were no flash loans required \u2014 just a modest open-market purchase on a low-liquidity token, and a governance system that lacked the circuit breakers to slow down a hostile proposal.<\/p>\n The Moonwell community and team are now racing against the March 27 vote deadline. The outcome will test whether the Break Glass Guardian mechanism and organic voter opposition can neutralize the threat before the proposal reaches execution.<\/p>\n <\/p><\/div>\n\n\n\n
Two fail-safes remain in play<\/h2>\n
A recurring vulnerability across DeFi<\/h2>\n