Commissioned, Curated and Published by Russ. Researched and written with AI.
What’s New This Week
On Tuesday, an attacker submitted governance proposal MIP-R39: Protocol Recovery - Admin Migration to Moonwell, a multichain DeFi lending protocol built on Moonbeam and Moonriver. The cost: $1,808 in MFAM tokens and 11 minutes of effort. If the proposal passes, the attacker gains full administrative control over Moonwell’s seven markets and its core smart contract - and blockchain intelligence firm Blockful says the proposal contract already contains the code needed to drain more than $1 million in user funds. As of Thursday, 68% of votes are against it, but voting doesn’t close until Friday and Blockful has warned that the attacker may be holding additional undisclosed wallets capable of flipping the result in the final blocks.
Changelog
| Date | Summary |
|---|---|
| 26 Mar 2026 | Initial publish. |
The Attack
Moonwell operates on Moonbeam, a parachain on Polkadot, and Moonriver, its equivalent on Polkadot’s developer network Kusama. According to DeFiLlama, the protocol holds approximately $85 million in total value locked.
The attacker bought 40 million MFAM tokens - Moonwell’s governance token - at a price of $0.000025 each, coming to roughly $1,800. That was enough to submit a governance proposal and vote it past the quorum threshold.
The proposal is titled “MIP-R39: Protocol Recovery - Admin Migration” and was submitted on Tuesday. On the surface it reads as an administrative migration. In practice, according to Blockful, the smart contract attached to the proposal already contains the transactions needed to exploit Moonwell’s liquidity pools once ownership is transferred.
Blockful described the proposal as clearly an attack and noted that the proposal contract that would receive ownership of the protocol’s markets already includes the transactions necessary to exploit them.
The Problem With MFAM Governance
The MFAM token price before the attack was $0.000025. At that price, governance power is practically free. The attacker used a smart contract to purchase the tokens and execute the proposal - the entire process automated and cheap enough to be disposable.
This is a structural problem in low-market-cap governance tokens. When the cost to reach quorum is less than $2,000, any sufficiently motivated attacker can hold a protocol hostage. The quorum threshold wasn’t designed for a world where the token has effectively no price floor.
The Compound Finance precedent from 2024 is relevant here. A group led by pseudonymous user Humpy accumulated enough COMP to force a proposal routing $24 million from the treasury into a private vault. A truce was eventually reached. The mechanism was the same: accumulate tokens, reach quorum, extract value. Moonwell is a smaller, cheaper version of the same attack surface.
Two Options to Respond
Moonwell has two paths to stop the proposal from executing.
The first is for token holders to continue voting against it. As of Thursday’s count, 68% of votes cast oppose the proposal. The risk is hidden wallets - if the attacker holds undisclosed MFAM and deploys it in the final blocks before voting closes, the result could flip without warning.
The second option is the Break Glass Guardian. This is an emergency multisig mechanism built into Moonwell’s governance architecture. Documented in Moonwell’s governance forum, it allows a designated group of multisig signers to move administrative powers away from a malicious proposal before it can execute - bypassing the standard governance timelock in the process. The mechanism requires a 2-of-3 multisig threshold and functions as an onchain emergency brake.
Blockful recommended activating the Guardian rather than relying on the vote count, specifically because of the hidden wallet risk. The firm stated that since the attacker can still have hidden wallets ready to vote in the final block in case of opposition, the core team should use the Guardian to guarantee user funds are safe.
What’s Still Unresolved
As of publication, voting has not closed. The Moonwell team and Blockful have not confirmed whether the Guardian will be activated. The attacker’s full wallet picture is unknown.
The outcome on Friday will determine whether Moonwell loses control of its protocol, defends via vote count, or activates the emergency multisig. All three are still live possibilities.
Regardless of outcome, the incident demonstrates that governance security is an attack surface, not just a coordination mechanism. The cost to acquire control here was below the price of a used car. For any protocol with low-liquidity governance tokens, that calculus is worth reviewing before the next proposal lands.
Primary source: DL News - How an attacker spent just $1,808 to hold an entire crypto project hostage by Liam Kelly. Additional coverage: The Block.