Moonwell Attacker Spends $1,808 to Seize Control via Governance Proposal

An attacker spent approximately $1,808 to purchase 40 million MFAM governance tokens and push through a malicious proposal that, if executed, would grant total control over Moonwell’s seven lending markets and core smart contracts, allowing the exploiter to drain more than $1 million in user funds.

The proposal, titled “MIP-R39: Protocol Recovery - Admin Migration,” was submitted on March 24, 2026, with voting set to conclude on March 28. Moonwell, a multichain lending protocol with approximately $85 million in total value locked, now faces a critical test of its decentralized governance safeguards as community members race to block the takeover.

Blockchain intelligence firm Blockful warned that the attacker may hold additional undisclosed wallets with MFAM tokens that could be used to flip the vote at the last moment, recommending that Moonwell’s multisig signers activate a “Break Glass Guardian” to move admin powers away from the exploiter.

Attack Mechanics and Potential Impact

Low-Cost Governance Exploit

The attacker purchased 40 million MFAM tokens at a price of approximately $0.000025 per token, spending roughly $1,808 to meet the threshold required to submit a governance proposal. The exploiter used a smart contract to acquire the tokens, with Blockful noting that the contract contained malicious code designed to automate the steps needed to drain the protocol’s liquidity if the proposal is executed.

Scope of Control

If successful, the proposal would give the attacker total control over Moonwell’s seven markets, the protocol’s core smart contracts, and would enable the draining of more than $1 million in user funds. The protocol operates on Moonbeam (a parachain network on Polkadot) and Moonriver (the equivalent network on Polkadot’s developer network Kusama).

Current Status and Defense Measures

Voting Activity

As of March 26, approximately 68% of votes cast were against the proposal. However, Blockful warned that the attacker may have additional unidentified wallets holding MFAM that could be deployed to flip the vote before the Friday deadline.

Recommended Safeguard

Blockful recommended that Moonwell’s multisig signers activate the “Break Glass Guardian,” a defensive mechanism that would move admin powers away from the attacker, ensuring user funds remain safe regardless of the vote outcome. “Since the attacker can still have hidden wallets, ready to vote in the last block in case of opposition, we recommend the core team use the Guardian to guarantee user funds are safe,” Blockful stated.

Broader Context: DAO Governance Vulnerabilities

Precedent Cases

The Moonwell episode adds to a growing list of governance exploits and disputes in decentralized finance:

• Compound Finance (2024) : A group of investors led by pseudonymous user Humpy accumulated enough governance tokens to force through a proposal that would have moved approximately $24 million from the project’s treasury into a private vault. A truce was ultimately reached.

• Aave (December 2025) : It was discovered that fees generated by an integration with CoW Swap were being routed directly to Aave Labs, a decision not approved by the lending protocol’s DAO.

Low-Value Token Risk

The Moonwell attack highlights a specific vulnerability in governance systems that rely on low-value tokens. By purchasing a large quantity of inexpensive tokens, an attacker can meet quorum requirements and submit malicious proposals with minimal financial outlay.

Frequently Asked Questions

How did the attacker gain control over Moonwell’s governance?

The attacker purchased 40 million MFAM tokens for approximately $1,808, used them to submit a governance proposal that would transfer control over Moonwell’s markets and core smart contracts, and included malicious code to automate the draining of user funds if the proposal passes.

What is the current status of the proposal?

Voting on the proposal ends on March 28. As of March 26, approximately 68% of votes cast were against the proposal. However, security analysts warn that the attacker may hold additional undisclosed wallets that could be used to flip the vote at the last moment.

What can be done to stop the attack?

Security firm Blockful recommends that Moonwell’s multisig signers activate the “Break Glass Guardian” mechanism, which would move admin powers away from the attacker regardless of the vote outcome, ensuring user funds remain safe.