Moonwell faces $1M risk after attacker buys cheap tokens and submits malicious vote proposal to gain control of DeFi lending protocol contracts.

A decentralized finance platform called Moonwell is facing a serious security threat after a very cheap attack. The incident was a surprise to the crypto community because the attacker only spent $1800. According to the reports by the Moonwell Forum, the proposal could put more than $1000000 at risk.

Cheap Token Purchase Leads to Governance Attack

The issue began with an unknown attacker purchasing some 40000000 MFAM tokens. These tokens have voting power within the governance system of Moonwell. Therefore, owning a lot of tokens means that a person is able to make important decisions about the platform.

With the tokens purchased, the attacker formed a governance proposal. The proposal attempted to give an attacker control over important smart contracts to a wallet controlled by the attacker. These contracts contain the oracle, the comptroller, and seven lending markets within the protocol.

The most startling aspect was the speed of the attack. Reports said the entire process took just 11 minutes. First, the tokens were bought. Next, the proposal was developed. Finally, the vote reached quorum, which is when enough votes are counted so that the proposal becomes active.

Voting on the proposal will be open until 27 March 2026. However, many members of the community later began to vote against the plan. Because of this, the end result to the question is uncertain.

Moonwell is a lending protocol on Moonbeam and Moonriver networks. According to DefiLlama data, currently, the platform has approximately $85000000 locked in its markets. Therefore, being able to control the contracts means that an attacker could potentially reach large funds.

Previous Exploit Raised Security Concerns

This is not the first time Moonwell has encountered a problem. In November 2025, the protocol lost a small sum of 1000000 due to an oracle error. The value of a token on the price feed from Chainlink was incorrect.

So, because of the wrong price, a small deposit was valued at over $116000. As a result, a trading bot used the fake value to borrow huge amounts from the market. This sapped funds away from Moonwell pools from Base Network and Optimism.

After that incident the Moonwell DAO approved a number of fixes. On 6 March 2026 the community voted to reestablish withdrawals on Moonriver. Later, on 9 March 2026, new contract upgrades were approved to correct reward calculation issues.

These updates were for safety, developers said. However, the new attack on governance demonstrates that there are risks in decentralized systems.

Moreover, governance attacks are dangerous because the hackers use voting rules rather than hacking codes. Therefore, the attackers can take control without directly breaking security.

For now, the Moonwell community is keeping a watchful eye on the vote. If the proposal doesn’t pass, the funds will remain safe. However, the incident has revealed that even small attacks can pose a threat to millions in DeFi platforms.