The lending protocol Moonwell lost $1.78 million due to a misconfiguration in its oracle settings. Smart contract auditor Pashov linked the incident to vibe coding using Claude Opus 4.6.

The failure occurred on February 15 after the activation of the Moonwell DAO proposal — MIP-X43. This allowed contracts to be executed using Chainlink OEV on the Base and Optimism markets.

Technical Error

One of the oracles was incorrectly configured, failing to accurately determine the dollar price of Coinbase Wrapped ETH.

Instead of multiplying the cbETH/ETH rate by the ETH/USD price, the system only transmitted the token ratio. As a result, the oracle reported the price of cbETH at around $1.12 instead of approximately $2,200.

Impact on Users

The anomalously low quotes triggered a wave of liquidations. Trading bots targeted positions collateralized with cbETH, redeeming about $1 of debt in exchange for 1,096.317 cbETH.

This wiped out most or all of the cbETH collateral for many borrowers, leaving them with significant debt on their positions. Meanwhile, some users provided minimal collateral to borrow cbETH at the undervalued price.

“As soon as the issue was discovered, our risk manager @anthiasxyz promptly reduced the cbETH borrowing limit to 0.01 to mitigate further risks to the protocol,” representatives from Moonwell stated.

Is Vibe Coding to Blame?

Smart contract auditor Pashov noted that the commits for Moonwell were co-authored with Claude Opus 4.6.

🚨Claude Opus 4.6 wrote vulnerable code, leading to a smart contract exploit with $1.78M loss

cbETH asset's price was set to $1.12 instead of ~$2,200. The PRs of the project show commits were co-authored by Claude — Is this the first hack of vibe-coded Solidity code? pic.twitter.com/4p78ZZvd67

— pashov (@pashov) February 17, 2026

“Claude Opus 4.6 wrote vulnerable code, leading to a smart contract exploit with a loss of $1.78 million. […] Is this the first hack of Solidity code written using vibe coding?” he remarked.

The expert added that behind AI, there is a human who reviews the final work, and possibly a security auditor. Therefore, it is incorrect to solely blame the neural network, although the incident “raises questions” about vibe coding.

This programming approach is becoming increasingly mainstream despite growing criticism from specialists.

Recall that in February, a study identified 69 vulnerabilities in 15 applications created using popular tools like Cursor, Claude Code, Codex, Replit, and Devin.