Vibe Coding via Claude Opus Leads to Moonwell DeFi Project Breach

Moonwell lost $1.78 million due to an oracle error linked to vibe coding.

The lending protocol Moonwell lost $1.78 million due to an oracle configuration error. Smart contract auditor Pashov linked the incident to vibe coding through Claude Opus 4.6.

The failure occurred on February 15 following the activation of the Moonwell DAO proposal — MIP-X43. It allowed contracts using Chainlink OEV on the Base and Optimism markets.

Technical Error

One of the oracles was incorrectly configured. It inaccurately determined the dollar price of Coinbase Wrapped ETH.

Instead of multiplying the cbETH/ETH rate by the ETH/USD price, the system only transmitted the token ratio. As a result, the oracle showed a cbETH price of about $1.12 instead of ~$2200.

Consequences for Users

Abnormally low quotes triggered a wave of liquidations. Trading bots attacked positions collateralized in cbETH. They repaid approximately $1 of debt and received 1096.317 cbETH in return.

This wiped out most or all of the cbETH collateral for many borrowers, leaving a significant debt on their positions. Simultaneously, some users provided minimal collateral to borrow cbETH at the reduced price.

“As soon as the problem was discovered, our risk manager @anthiasxyz promptly reduced the cbETH borrowing limit to 0.01 to limit further risks to the protocol,” Moonwell representatives wrote.

Is Vibe Coding to Blame?

Smart contract auditor Pashov noted that commits for Moonwell were co-authored with Claude Opus 4.6.

🚨Claude Opus 4.6 wrote vulnerable code, leading to a smart contract exploit with $1.78M loss

cbETH asset’s price was set to $1.12 instead of ~$2,200. The PRs of the project show commits were co-authored by Claude — Is this the first hack of vibe-coded Solidity code? pic.twitter.com/4p78ZZvd67

— pashov (@pashov) February 17, 2026

“Claude Opus 4.6 wrote vulnerable code, leading to a smart contract exploit with a $1.78 million loss. […] Is this the first hack of vibe-coded Solidity code?” he noted.

The expert added that behind the AI is a person who checks the finished work, and possibly a security auditor. For this reason, blaming the neural network alone is incorrect, although the incident “raises questions” about vibe coding.

This approach to programming is becoming increasingly widespread, despite growing criticism from experts.

In February, a study identified 69 vulnerabilities in 15 applications created using popular tools like Cursor, Claude Code, Codex, Replit, and Devin.