An attacker spent just $1,808 to launch a hostile governance proposal that threatens to hand over control of the entire Moonwell lending protocol and put over $1 million in user funds at risk. The incident, which began on Tuesday, March 24, 2026, saw the exploiter purchase approximately 40 million MFAM governance tokens at a price of $0.000025 each, giving them enough voting power to submit and advance the proposal.
The proposal, titled "MIP-R39: Protocol Recovery - Admin Migration," would transfer administrative control of Moonwell's seven lending markets, its core comptroller smart contract, and its oracle to a contract controlled by the attacker. Blockchain intelligence firm Blockful analyzed the attacker's contract and warned it contained malicious code designed to automatically drain the protocol's liquidity, stating unequivocally, "This proposal is clearly an attack." If successful, the attacker could drain an estimated $1.08 million.
Voting on the proposal is set to conclude on Friday, March 27. The Moonwell community has mobilized in response, with early quorum that favored the attacker shifting as more token holders participated. As of Thursday, 68% of cast votes were against the proposal. However, Blockful cautions that the attacker may hold additional, unidentified wallets containing MFAM tokens that could be used to vote at the last minute.
As a defensive measure, the protocol's emergency multisig mechanism, known as the "Break Glass Guardian," stands ready to intervene. Blockful and community forum posts recommend the core team use this power to move admin authority away from the attacker and guarantee user fund safety, especially given the risk of hidden voting wallets. This highlights the ongoing tension between decentralized governance and necessary security safeguards.
The attack underscores a recurring vulnerability in decentralized finance (DeFi): the manipulation of governance through the cheap accumulation of tokens in illiquid markets. It echoes past incidents, such as a 2024 attempt on Compound Finance and a recent governance dispute within Aave. For Moonwell, this follows a February 2026 incident where a faulty oracle configuration led to $1.8 million in bad debt, compounding the protocol's security challenges.
