Moonwell faces $1 million governance attack

March 24, 2026

Moonwell faces $1 million governance attack

The Moonwell lending protocol is facing a governance attack on its deprecated Moonriver instance, that could drain $1 million from the project. Because Moonwell's MFAM governance token trades at fractions of a cent, an attacker was able to accumulate around 40 million tokens, submit a malicious proposal, and achieve quorum. Moonwell governance token holders are now scrambling to vote down the proposal before the voting ends on March 27.

While the vote is currently not slated to pass, with 68% of votes opposing, some are concerned that the attacker could have more governance tokens held in reserve. If deployed at the last minute, the vote could still pass. Some have advocated for the Moonwell team to use its "Break Glass Guardian", which would allow them to prevent the attack from succeeding regardless of the vote outcome.

This is only the most recent of Moonwell's troubles after the protocol suffered a $1.78 million loss in February due to an oracle misconfiguration and a $3.7 million loss in November 2025.

Attack proposal, Moonwell governance [archive]
Tweet thread by Blockful [archive]