$1.78M ‘Vibe-coded’ Oracle Bug Leads to Investigation of AI-Enabled Contracts
Moonwell, the decentralized finance (defi) lending protocol deployed on Base and Optimism for Coinbase's Wrapped Staked ETH (cbETH) pricing term, was exploited for about $1.78 million.
Requests for affected contracts reveal several functions co-authored by Anthropic's Cloud Opus 4.6, which security auditor Pashov publicly pointed to as an example of the return of solidity written by artificial intelligence or AI.
Speaking to Cointelegraph about the incident, he said he linked the issue to the cloud because there were many functions in the pull requests co-authored in the cloud, adding, “The developer was using the cloud to write the code, which resulted in a vulnerability.”
But Pashov cautioned against viewing the error as exclusively AI-driven. He described the issue as a mistake that “even a senior Solidity developer could have made,” and argued that the real problem was a lack of rigorous enough checks and end-to-end authentication.
At first he said he believed no investigation or audit had been done, but later said the team had unit and integration tests in a separate pull request and had an audit from Halborn.
In his opinion, the wrong price “could have been caught by the test of integration, correct, integration with the blockchain” but he refused to directly criticize other security organizations.
Related: How South Korea is using AI to spot crypto market fraud
Small losses, big management questions
The dollar amount of the exploit is small compared to Diffie's larger events, such as the March 2022 Ronin Bridge exploit, where attackers stole more than $600 million, or other nine-figure Bridge and Lending Protocol hacks.
What makes Munwell stand out is the combination of AI co-authorship, a seemingly fundamental failure of the pricing structure on the underlying asset, and existing audits and experiments that still fail to capture it.
Pashov says his company won't fundamentally change the process, but if code appears to be “vibe coded,” his team will “have a little more open eyes” and expect a higher number of low-hanging issues, although this particular oral bug “isn't that easy” to spot.
“Vibe coding” and the use of disciplined AI
Fraser Edwards, co-founder and CEO of decentralized identity infrastructure provider Checked, told Cointelegraph that the debate surrounding the vibe coding mask covers “two very different interpretations” of how AI is used.
Related: How AI will make and break the role of humans in crypto trading
On the one hand, he said that they are non-technical founders who push AI to generate code that cannot be evaluated independently; On the other hand, experienced developers use AI to accelerate refactoring, pattern discovery, and testing in the intelligent engineering process.
AI-assisted development can be “especially useful in MVP. [minimal viable product] A platform, however, should not be seen as a shortcut to production-ready infrastructure, especially in capital-intensive systems like DeFi.
Edwards argues that all AI-generated smart contract code should be treated as untrusted resources, requiring strict version control, open code ownership, crowd-sourced peer review, and advanced testing, especially in high-risk areas such as access controls, verbal and pricing logic, and optimization methods.
“Ultimately, responsible AI integration comes down to governance and discipline,” he said, noting that clear review gates, separation between code generation and verification, and any contract deployed in a hostile environment can contain hidden risks.
Magazine: South Korea gets rich from crypto… North Korea gets weapons.
