A DeFi lending protocol just lost $1.78 million. The commits show Claude Opus 4.6 helped write the code that made it happen.
Moonwell, a DeFi lending protocol operating on Base and Optimism, suffered an oracle configuration exploit that security researchers flagged almost immediately after it hit. The vulnerability came down to a single, catastrophic price feed error — one that should have been caught long before deployment.
When the Oracle Gets the Price Completely Wrong
The cbETH asset, Coinbase's staked Ethereum token, had its price set to $1.12 inside the contract. Its actual market value at time of exploit sat around $2,200. That gap — nearly two thousand dollars per token — is what attackers used to drain funds from the protocol.
Security researcher flagged it on X, describing the error as a misconfigured oracle price feed formula. "A very low-level mistake where the oracle price feed formula was written incorrectly," evilcos wrote. He then pointed out something that stopped a lot of people: the commit history showed "Co-Authored-By: Claude Opus 4.6."
Anthropic's latest and most capable model had a hand in writing this.
The pull request in question — MIP-X43 on the Moonwell GitHub — was meant to activate Chainlink OEV wrappers across all remaining Moonwell markets. It got merged last week after passing through review, including a Copilot AI code review and at least two human reviewers.
Auditor and researcher ">@pashov noted on X that Claude Opus 4.6 wrote the vulnerable code directly. His post asked plainly: "Is this the first hack of vibe-coded Solidity code?"
The cbETH pricing error. A $1.78 million loss. A pull request co-authored by AI.
Vibe-Coded Solidity Hits the Real World
Pashov was careful not to put all blame on the model. As he wrote on X, the human behind the AI ultimately decides and reviews the code — and presumably, so does any security auditor attached to the project. But the incident puts AI-assisted smart contract development under an uncomfortable spotlight.
The Moonwell PR shows multiple commits with Claude's authorship flagged, alongside human contributors and GitHub Copilot's automated review. OpenZeppelin's Code Inspector bot also ran a report at an earlier commit stage, flagging critical and high-severity findings across the contracts. Whether those flags were adequately addressed before merge is now a serious question.
The reviewer CEbbinghaus, in comments posted just hours before this story went out, was asking exactly that. Looking at the ChainlinkOracleConfigs contract, they flagged the cbETH oracle block and asked directly: "Where is the actual value of cbETH calculated?" That question — raised after the merge — comes about three weeks too late.
One point evilcos made on X is worth sitting with: the exploit was not sophisticated. This wasn't a complex flash loan attack or a novel reentrancy vector. It was a wrong number in a price formula. The kind of mistake a competent human reviewer should catch. The kind a confident AI might not flag if the broader logic appears otherwise sound.
