1/ On November 4th at 05:45:11 AM UTC, the Moonwell protocol was exploited via a Chainlink oracle malfunction that reported secondary market prices, leading to a $1 million loss.

2/ The Chainlink wrsETH oracle should have reported 1.057; however, it reported 1.7m, a discrepancy of 7 orders of magnitude, enabling the attack.

3/ While we cannot confirm the Chainlink pricing methodology, because of the time proximity to the exploit, it looks like they were dependent on pools with depleted liquidity, post the Balancer exploit.

4/ Interesting to observe: 1) more nodes ≠ more security 2) quality of node operators matters. The screenshot below shows that in this price round, the jury was split; some reported inflated values, while the minority reported the correct price.

5/ Chainlink’s oracle mispriced wrsETH at $5.8B This was 1.7m times the real rate. Clearly missing key guardrails, such as CAPO limiters or liquidity requirements on data sources. A reminder: price feeds are risk systems.

6/ Price Oracle vs. Risk Oracle is a false dichotomy. You can’t segregate price from risk. Asset classes are exploding: - wrapped assets - RWAs - derivatives - etc. As the sophistication of assets grows, “median of unvetted feeds” doesn’t cut it anymore.

7/ What should be the approach for pricing asset-backed collateral? For wrapped assets, pricing usually follows the primary exchange rate. However, Moonwell assumed the use of the Chainlink market oracle, a non-standard choice for a looping asset like wETH.

8/ Using a secondary market rate for a looping collateral is irregular - but it wasn’t the direct cause of the exploit. The real problem is structural.

9/ This exploit highlights the missing link between Oracle design and risk intelligence. Every data feed integrated into a market should undergo the same scrutiny as any collateral: it should be tested, monitored, and bounded by enforceable limits. Oracles are risk systems.

10/ For anyone interested in possible mitigations In this case, there are a few, from the selection of the feed to the implementation of it. @aave has implemented the CAPO framework, which serves as an upper limit for exchange rate oracles to prevent manipulation.