Moonhacker Moonwell Vault Unprotected ExecuteOperation Call
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Moonwell is a decentralized lending platform that allows users to lend or borrow digital assets with flexible repayment schedules and no additional fees. It prioritizes security through audits by Halborn Security and a bug bounty program with rewards up to $250,000. The platform operates across multiple networks like Base, Moonbeam, and Optimism, offering markets for USDC, Ethereum, and Staked Ethereum with competitive APY. Moonwell emphasizes community governance and has a total market size of nearly $791 million. A recent exploit targeted the MoonHacker vault, interacting with Moonwell, where a vulnerability in the executeOperation function allowed an attacker to manipulate token approvals and steal $320,000 USDC. The creator of the MoonHacker vault does not appear to have responded to the situation.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19]
About Moonwell DeFi
Moonwell is a decentralized lending platform that enables users to lend or borrow digital assets without monthly payments or additional fees, allowing for flexible repayment schedules. It prioritizes security by conducting thorough audits through Halborn Security and offering a bug bounty program with rewards up to $250,000. The platform operates across multiple networks, including Base, Moonbeam, and Optimism, with a variety of available markets such as USDC, Ethereum, and Staked Ethereum, offering competitive annual percentage yields (APY). Moonwell also emphasizes community governance, empowering members to make decisions and adapt to changing market conditions. The platform currently has a total market size of nearly $791 million, with a significant portion supplied by its users.
About Moonhacker Vault Contract
The moonhacker vault was created on December 17th, 2025. It interacts with, but otherwise has no direct relation to the Moonwell DeFi protocol.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
"The Moonhacker contract suffered a flash loan attack, resulting in a loss of approximately $320,000."
| Date | Event | Description |
|---|---|---|
| December 17th, 2024 4:07:47 PM MST | Moonhacker Vault Contract Created | The vulnerable Moonhacker vault contract is launched on the Optimism blockchain. |
| December 23rd, 2024 3:34:39 PM MST | Optimism Blockchain Transaction | The malicious transaction on the Optimism blockchain. |
| December 23rd, 2024 5:08:00 PM MST | CertiK Initial Report Posted | CertiK post an initial analysis of the exploit on Twitter/X. |
| December 24th, 2024 12:33:00 AM MST | SJ_cryptosight Withdrawal Notice | SJ_cryptosight publishes that they are withdrawing their funds until there's an official update. |
| December 24th, 2024 9:02:00 AM MST | LukeYoungBlood Posts Update | LukeYoungBlood (LukeYoungblood.eth) provides a detailed explanation regarding the MoonHacker vault exploit, clarifying that the attack did not affect the Moonwell protocol. The MoonHacker vault, which was integrated with Moonwell on the Optimism network, suffered from two key vulnerabilities: a lack of protection on the "executeOperation" function and insufficient validation of input addresses. The attacker exploited these flaws by using a flash loan to drain USDC from the vault by manipulating the function to approve their own wallet instead of the intended mUSDC contract. Although some security monitoring services mistakenly linked the exploit to Moonwell, Luke emphasized that the Moonwell protocol was not involved, as the exploit targeted only the vulnerable vault. The incident underscored the importance of code audits in preventing such attacks and highlighted the sophisticated nature of on-chain exploits. |
| December 24th, 2024 4:38:00 PM MST | Nick L Franklin Posts Analysis | Nick L Franklin posts an update with an analysis of the exploit. "There're several Moonhacker contracts that can be used for smart supply and borrow. In "executeOperation" function, input data is not checked, hacker was able to input his own contract" |
| December 24th, 2024 7:15:00 PM MST | CertiK Reports Unrelated | CertiK posts a tweet reporting that the exploit has no relation to the MoonWell protocol itself. |
| December 25th, 2024 11:10:51 PM MST | Shashank Posts Analysis | Shashank posts an analysis of the smart contract exploit. |
| January 2nd, 2025 8:21:00 AM MST | Debaub Analysis Published | Debaub publishes an analysis of the exploit. |
| January 24th, 2025 1:55:53 AM MST | Verichains Exploit Analysis | Verichains publishes an analysis of the exploit online. |
Technical Details
The attack targeted the MoonHacker vault contracts interacting with the Moonwell DeFi protocol on the Optimism network, exploiting improper input validation in the executeOperation function. This vulnerability allowed the attacker to pass a malicious contract as the mToken address, gaining unauthorized token approvals and manipulating the contract logic. The attacker deployed two contracts, exploited the vulnerability, and withdrew the stolen funds. To mitigate such risks in the future, the blog recommends implementing proper input validation, access control, and function modifiers. The incident highlights the importance of comprehensive audits and validation checks in smart contract security to protect user funds in the DeFi ecosystem.
"First, the attacker took out a flash loan of USDC on Aave, because they needed more USDC to call repayBorrow and redeem (withdraw) many times to drain the vault."
"Next, they called the vulnerable executeOperation function on the Moonhacker vault, but instead of specifying the mUSDC contract, they specified their own wallet as the approval address.
This allowed them to steal all the mUSDC collateral tokens held by the vault."
"Then they simply called repayBorrow and redeem (withdraw) multiple times to withdraw all of the underlying USDC that was previously held by the Moonhacker vault.
Finally, they repaid the flash loan to Aave and took all the USDC profit they had stolen from Moonhacker."
Total Amount Lost
The total amount lost has been estimated at $320,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
"Compound fork lending project – Moonwell was hacked because of improper input check.
There’re several Moonhacker contracts that can be used for smart supply and borrow. In “executeOperation” function, input data is not checked, hacker was able to input his own contract as mToken contract as there’s no check.
If he provide his contract as mToken, Moonhacker contract approves his tokens to that contract.
Then, he could move all tokens to his contract. Total loss is about $320k."
"As a precautionary measure, I withdrew my funds in the @MoonwellDeFi Flagship USDC vault curated by Morpho until an official report is out. If you have funds in the pool on Optimium, withdraw them as soon as possible."
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
Lukeyoungblood offered to help out the affected smart contract. "If the team or individual behind Moonhacker would like to reach out and get help from Moonwell contributors or teams like Seal 911 who can potentially try to help them recover the USDC stolen from their vault, please DM me on Telegram". It is unclear that any effort was undertaken to track or recover the funds.
There do not appear to have been any funds recovered in this case.
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ OP Mainnet Transaction Hash (Txhash) Details | OP Mainnet Etherscan (Accessed Jan 30, 2025)
- ↑ OP Mainnet Transaction Hash (Txhash) Details | OP Mainnet Etherscan (Accessed Jan 30, 2025)
- ↑ 0xNickLFranklin - "There're several Moonhacker contracts that can be used for smart supply and borrow. In "executeOperation" function, input data is not checked, hacker was able to input his own contract" - Twitter (Accessed Jan 30, 2025)
- ↑ Moonwell hacked. – Defi hack analysis (Accessed Jan 30, 2025)
- ↑ @CyversAlerts Twitter (Accessed Jan 30, 2025)
- ↑ @LukeYoungblood Twitter (Accessed Jan 30, 2025)
- ↑ MoonHacker | Address 0xd9b45e2c389b6ad55dd3631abc1de6f2d2229847 | OP Mainnet Etherscan (Accessed Jan 30, 2025)
- ↑ OP Mainnet Transaction Hash (Txhash) Details | OP Mainnet Etherscan (Accessed Jan 30, 2025)
- ↑ https://www.binance.com/en/square/post/12-24-2024-moonhacker-contract-suffers-flash-loan-attack-incurring-320-000-loss-17975611563473 (Accessed Jan 30, 2025)
- ↑ Moonhacker contract suffered a flash loan attack, resulting in a loss of approximately $320,000 - ChainCatcher (Accessed Jan 30, 2025)
- ↑ Moonhacker contract was attacked by flash loan, losing about $320,000 - PANews (Accessed Jan 30, 2025)
- ↑ "The stolen funds on MoonHacker only trace to several 'SmartSupply()' call days ago while the Moonwell lending pools are not affected. The "MoonHacker" deployers have no known connection to Moonwell." (Accessed Jan 30, 2025)
- ↑ DeFiHackLabs/src/test/2024-12/Moonhacker_exp.sol at main · SunWeb3Sec/DeFiHackLabs · GitHub (Accessed Jan 30, 2025)
- ↑ Debaub - "The attacker abused an Unchecked FlashLoan Callback & an Unrestricted Approve Proxy." - Twitter (Accessed Jan 30, 2025)
- ↑ Original CertiK Post (Accessed Jan 30, 2025)
- ↑ MoonHacker Vault Hack Analysis - Verichains (Accessed Jan 30, 2025)
- ↑ MoonHacker Vault Hack Analysis - Shashank (Accessed Jan 30, 2025)
- ↑ SJ_cryptosight - "As a precautionary measure, I withdrew my funds in the @MoonwellDeFi Flagship USDC vault curated by Morpho until an official report is out. If you have funds in the pool on Optimium, withdraw them as soon as possible." - Twitter (Accessed Jan 30, 2025)
- ↑ Lukeyoungblood - "If the team or individual behind Moonhacker would like to reach out and get help from Moonwell contributors or teams like Seal 911 who can potentially try to help them recover the USDC stolen from their vault, please DM me on Tel...itter (Accessed Jan 30, 2025)