DeFi lender Moonwell faces governance attack as $1,800 vote push threatens $1 million in funds

A low-cost governance play has put more than $1 million at risk on decentralized protocol Moonwell as an unknown actor attempts to exploit how the DeFi app distributes power.

An attacker spent roughly $1,800 to acquire about 40 million MFAM tokens, enough to push through a malicious governance proposal that would hand over administrative control of the protocol’s core contracts, according to multiple onchain observers.

11-minute bet to capture over $1 million

The entire sequence — buying tokens, creating the proposal, and voting it past quorum — took about 11 minutes. The proposal, currently active on Moonwell’s Moonriver deployment, would transfer control of seven lending markets, the comptroller, and the oracle to a contract controlled by the attacker.

Once executed, that contract could drain funds across the protocol. At current estimates, around $1.08 million in user funds could be exposed if the proposal executes.

Moonwell is a lending protocol operating on Moonbeam and Moonriver, part of the Polkadot ecosystem.

Users can deposit assets to earn yield or borrow against collateral. Governance decisions are made through token-holder voting, with MFAM serving as the voting asset on Moonriver.

This model is now under pressure.

The attacker’s strategy relied on thin liquidity and concentrated voting power. That essentially allowed a relatively small capital outlay to control a disproportionately large share of governance. The vote remains open until March 27. While early tallies showed the proposal reaching quorum quickly, subsequent participation has shifted sentiment, with a majority of votes now opposing the measure.

Still, governance rules mean the outcome hinges on final tallies and any undeclared voting power.

Two paths remain to stop the attack. Token holders can outvote the proposal, or a designated emergency multisig — known as the “Break Glass Guardian” — can intervene to override the governance process and strip the attacker of control before execution.

Governance loopholes

The incident highlights a structural issue in decentralized governance. Tokens designed to coordinate decision-making can also be used to seize control when distribution is uneven or participation is low.

Similar tactics have surfaced before, but what stands out in the Moonwell case is the cost. Flash loan governance attacks drained more than $180 million from Beanstalk in 2022. Other protocols, including Compound and smaller DeFi projects, like Swerve Finance, have faced contested or malicious proposals driven by concentrated token accumulation.

The hostile governance takeover also follows $1.8 million in bad debt suffered by Moonwell earlier this year. Back in February, the protocol lost millions in Coinbase Wrapped ETH (cbETH) due to a faulty oracle configuration.