$320 000 USD

DECEMBER 2024

GLOBAL

MOONHACKER

DESCRIPTION OF EVENTS

Moonwell is a decentralized lending platform that enables users to lend or borrow digital assets without monthly payments or additional fees, allowing for flexible repayment schedules. It prioritizes security by conducting thorough audits through Halborn Security and offering a bug bounty program with rewards up to $250,000. The platform operates across multiple networks, including Base, Moonbeam, and Optimism, with a variety of available markets such as USDC, Ethereum, and Staked Ethereum, offering competitive annual percentage yields (APY). Moonwell also emphasizes community governance, empowering members to make decisions and adapt to changing market conditions. The platform currently has a total market size of nearly $791 million, with a significant portion supplied by its users.

 

The attack targeted the MoonHacker vault contracts interacting with the Moonwell DeFi protocol on the Optimism network, exploiting improper input validation in the executeOperation function. This vulnerability allowed the attacker to pass a malicious contract as the mToken address, gaining unauthorized token approvals and manipulating the contract logic. The attacker deployed two contracts, exploited the vulnerability, and withdrew the stolen funds. To mitigate such risks in the future, the blog recommends implementing proper input validation, access control, and function modifiers. The incident highlights the importance of comprehensive audits and validation checks in smart contract security to protect user funds in the DeFi ecosystem.

 

"First, the attacker took out a flash loan of USDC on Aave, because they needed more USDC to call repayBorrow and redeem (withdraw) many times to drain the vault."

 

"Next, they called the vulnerable executeOperation function on the Moonhacker vault, but instead of specifying the mUSDC contract, they specified their own wallet as the approval address.

 

This allowed them to steal all the mUSDC collateral tokens held by the vault."

 

"Then they simply called repayBorrow and redeem (withdraw) multiple times to withdraw all of the underlying USDC that was previously held by the Moonhacker vault.

 

Finally, they repaid the flash loan to Aave and took all the USDC profit they had stolen from Moonhacker."

 

 

"Compound fork lending project – Moonwell was hacked because of improper input check.

 

There’re several Moonhacker contracts that can be used for smart supply and borrow. In “executeOperation” function, input data is not checked, hacker was able to input his own contract as mToken contract as there’s no check.

 

If he provide his contract as mToken, Moonhacker contract approves his tokens to that contract.

 

Then, he could move all tokens to his contract. Total loss is about $320k."

 

"As a precautionary measure, I withdrew my funds in the @MoonwellDeFi Flagship USDC vault curated by Morpho until an official report is out. If you have funds in the pool on Optimium, withdraw them as soon as possible."

 

Lukeyoungblood offered to help out the affected smart contract. "If the team or individual behind Moonhacker would like to reach out and get help from Moonwell contributors or teams like Seal 911 who can potentially try to help them recover the USDC stolen from their vault, please DM me on Telegram". It is unclear that any effort was undertaken to track or recover the funds.

 

Explore This Case Further On Our Wiki

Moonwell is a decentralized lending platform that allows users to lend or borrow digital assets with flexible repayment schedules and no additional fees. It prioritizes security through audits by Halborn Security and a bug bounty program with rewards up to $250,000. The platform operates across multiple networks like Base, Moonbeam, and Optimism, offering markets for USDC, Ethereum, and Staked Ethereum with competitive APY. Moonwell emphasizes community governance and has a total market size of nearly $791 million. A recent exploit targeted the MoonHacker vault, interacting with Moonwell, where a vulnerability in the executeOperation function allowed an attacker to manipulate token approvals and steal $320,000 USDC. The creator of the MoonHacker vault does not appear to have responded to the situation.

OP Mainnet Transaction Hash (Txhash) Details | OP Mainnet Etherscan  (Jan 30)
OP Mainnet Transaction Hash (Txhash) Details | OP Mainnet Etherscan  (Jan 30)
0xNickLFranklin - "There're several Moonhacker contracts that can be used for smart supply and borrow. In "executeOperation" function, input data is not checked, hacker was able to input his own contract" - Twitter (Jan 30)
Moonwell hacked. – Defi hack analysis (Jan 30)
@CyversAlerts Twitter (Jan 30)
@LukeYoungblood Twitter (Jan 30)
MoonHacker | Address 0xd9b45e2c389b6ad55dd3631abc1de6f2d2229847 | OP Mainnet Etherscan  (Jan 30)
OP Mainnet Transaction Hash (Txhash) Details | OP Mainnet Etherscan  (Jan 30)
https://www.binance.com/en/square/post/12-24-2024-moonhacker-contract-suffers-flash-loan-attack-incurring-320-000-loss-17975611563473 (Jan 30)
Moonhacker contract suffered a flash loan attack, resulting in a loss of approximately $320,000 - ChainCatcher (Jan 30)
Moonhacker contract was attacked by flash loan, losing about $320,000 - PANews (Jan 30)
"The stolen funds on MoonHacker only trace to several 'SmartSupply()' call days ago while the Moonwell lending pools are not affected. The "MoonHacker" deployers have no known connection to Moonwell." (Jan 30)
DeFiHackLabs/src/test/2024-12/Moonhacker_exp.sol at main · SunWeb3Sec/DeFiHackLabs · GitHub (Jan 30)
Debaub - "The attacker abused an Unchecked FlashLoan Callback & an Unrestricted Approve Proxy." - Twitter (Jan 30)
Original CertiK Post (Jan 30)
MoonHacker Vault Hack Analysis - Verichains (Jan 30)
MoonHacker Vault Hack Analysis - Shashank (Jan 30)
SJ_cryptosight - "As a precautionary measure, I withdrew my funds in the @MoonwellDeFi Flagship USDC vault curated by Morpho until an official report is out. If you have funds in the pool on Optimium, withdraw them as soon as possible." - Twitter (Jan 30)
Lukeyoungblood - "If the team or individual behind Moonhacker would like to reach out and get help from Moonwell contributors or teams like Seal 911 who can potentially try to help them recover the USDC stolen from their vault, please DM me on Tel...itter (Jan 30)

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2019 - 2025 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.