The DeFi lending protocol Moonwell was left with $1.78 million in bad debt after a governance proposal containing an oracle misconfiguration was executed on February 15. The bug came from a single missing multiplication: the deployed oracle used only the cbETH/ETH exchange rate (~1.12) as a dollar price instead of multiplying it by the ETH/USD price (~$2,200). The result was that Moonwell's contracts briefly believed cbETH was worth $1.12.

Liquidation bots didn't need to be asked twice. Within the same block, automated liquidators swept cbETH-backed positions at a 99.9% discount, seizing 1,096.317 cbETH before Moonwell's risk manager could cut the borrow cap. The window was four minutes. The damage was permanent.

What made this incident unusual — and widely shared in security circles — was the commit history. GitHub PR #578, the proposal that introduced the misconfiguration, carries the line: "Co-Authored-By: Claude Opus 4.6." The AI assisted with input validation, try/catch handling, and import cleanup. It did not flag the missing oracle multiplication. Neither did human reviewers. The proposal passed governance with 99.1% approval.

This marks what security researchers at Rekt News are calling the first confirmed major exploit of vibe-coded smart contracts. The broader pattern is unsettling: three oracle-related failures at Moonwell in four months, totaling roughly $7.8 million in accumulated bad debt.

The incident does not indict AI-assisted development outright — Claude caught real bugs in the same PR. But it illustrates a specific failure mode: AI tools confidently fix what's in front of them and don't ask what they're not looking for. When a human signs off on code they don't fully understand, both are responsible for what ships.

A governance vote to fix the oracle configuration is pending the required timelock period.