Claude vibe-coded smart contract cost DeFi protocol $1.8M in losses
While AI-powered tools are getting better at coding, errors still occur and can cost millions, as an example from this week has already demonstrated.
-
AI-assisted code went wrong – a vulnerability co-written by Claude Opus 4.6 led to a $1.8M exploit on the Moonwell DeFi protocol.
-
An oracle misconfigured a crypto asset's price at ~$1.12 instead of ~$2,200, triggering a liquidation frenzy.
-
Security researchers are questioning whether this is the first major hack tied to AI-generated smart contract code.
-
Critics say human review failed; others argue the answer is fighting AI errors with more AI.
Decentralized finance (DeFi) protocol Moonwell was exploited to the tune of around $1.8 million, and security researchers have found that the vulnerability was introduced by AI.
"Is this the first hack of vibe-coded Solidity code?" security auditor known as @pashov on X asked, after pointing to a GitHub page showing Claude Opus 4.6 co-wrote this vulnerable code and set a crypto asset's price incorrectly.
"Of course, the human behind AI decides and reviews the code, possibly a security auditor as well. Sad to see another exploit, but makes you wonder a bit about vibe-coding," the auditor added.
Moonwell itself doesn't mention AI in its incident summary, only stating that "one of the oracle configurations contained a critical error" in setting the key price of the crypto asset cbETH.
"This misconfiguration caused the oracle to report cbETH's price as approximately $1.12 (reflecting the cbETH/ETH ratio of ~1.12) rather than the intended market value of roughly $2,200," it said.
Subsequently, liquidation bots immediately targeted cbETH collateral positions, wiping out most or all of the cbETH collateral for many borrowers. This left "substantial bad debt on their positions," while some users exploited the distorted pricing further.
"When the dust settled 1096.317 cbETH was seized by liquidators, and the protocol was left with $1.78M in bad debt across various markets, with the majority of it in the form of cbETH," the team said.
While the industry continues to wonder whether it's the first case of a vibe-coded DeFi protocol being exploited, the CEO of crypto security platform Spearbit, @hrkrshnn, emphasized that "You fight AI with more AI."
"Coding with Claude is the new normal. But you can be fast and safe," the CEO said.
However, as developer @storming0x pointed out, "we human devs are not doing that well either."
"AI vibe coded related hacks -> 1. Human error-related hacks -> 10000," the developer concluded.
