DeFi lending protocol Moonwell lost $1.78 million after an oracle pricing error in what is being described as one of the first major exploits directly linked to AI-generated Solidity code. Apparently, the error was caused by some code that was partially written by Anthropic’s Claude Opus 4.6 model.
Moonwell, a decentralized lending market operating on Base and Optimism, stated that it found a critical oracle configuration issue affecting its Coinbase Wrapped Ether (cbETH) Core Market on Base.
This caused cbETH to be valued at approximately $1.12 per token instead of its actual market price near $2,200, which is a 2,000x undervaluation that triggered instant liquidations.
🚨Claude Opus 4.6 wrote vulnerable code, leading to a smart contract exploit with $1.78M loss
cbETH asset’s price was set to $1.12 instead of ~$2,200. The PRs of the project show commits were co-authored by Claude – Is this the first hack of vibe-coded Solidity code? pic.twitter.com/4p78ZZvd67
— pashov (@pashov) February 17, 2026
The vulnerability appeared on February 15, just after Moonwell activated governance proposal MIP-X43, which integrated Chainlink’s Oracle Extractable Value (OEV) wrapper contracts across Base and Optimism markets.
As such, instead of calculating the cbETH price in USD by multiplying the cbETH/ETH exchange rate by the ETH/USD price feed, the deployed code obtained only the cbETH/ETH exchange rate and treated that ratio as if it were already denominated in dollars.
With cbETH trading at lower prices because of Moonwell’s oracle, liquidators could repay around $1 worth of debt and get collateral worth thousands in return.
Moonwell’s risk manager was able to reduce the cbETH borrow cap to 0.01 within hours of the vulnerability, effectively freezing new borrowing activity and containing further damage.
However, liquidations had already been processed, so users were left with catastrophic losses.
The protocol also estimated total losses at $1.78 million, mostly affecting cbETH, WETH, and USDC positions. Some borrowers nearly lost all their collateral as well, while others exploited the incorrect pricing to borrow even more money than they should have been allowed to, thus creating more debt within the protocol.
Bithumb suffered similar value assignment error just days earlier
The Moonwell incident is very similar to an error made at the South Korean exchange Bithumb just days earlier, on February 6, where a wrong-unit assignment created tens of billions of dollars in ghost value.
Apparently, a Bithumb staff member entered “BTC” instead of “KRW” while distributing rewards for a Random Box promotion, thus rewarding users in Bitcoin instead of Korean won.
The project lost approximately 620,000 Bitcoin worth over $40 billion (nearly 3% of Bitcoin’s entire global supply).
Vibe coding debate intensifies
The Moonwell incident has re-sparked the debate over vibe coding. Advocates argue that AI makes coding more accessible, while critics warn that its code may contain vulnerabilities that human reviews would most likely miss.
Smart contract auditor Pashov emphasized that “behind the AI is a person who checks the finished work, and possibly an auditor. For this reason, blaming the neural network alone is incorrect, although the incident ‘raises concerns’ about vibe coding.”
Another blockchain security firm, SlowMist, shared its concerns about “oracle formula vulnerability” and the breakdown of human oversight that allowed the flawed code to reach production.
A study published just weeks before the Moonwell incident identified 69 vulnerabilities across 15 applications created using popular AI coding tools, including Cursor, Claude Code, Codes etc.
Even more interesting is that Anthropic’s own research from December 2025 revealed that Claude Opus 4.5 could exploit smart contract vulnerabilities worth $4.6 million by itself (in simulated environment). The research also established that premier AI models can now “independently identify vulnerabilities, create working exploit chains, and extract value with minimal human oversight.”
Nonetheless, Moonwell clarified that “no other markets on Base or OP Mainnet were affected. The issue is isolated to the cbETH Core Market on Base.”
The protocol also noted that this was not its first oracle incident, recalling a misreporting incident in November 2025.