Our system flagged a high risk proposal. We got in contact with the core team to share our analysis, and make sure they are aware so we can mitigate the attack.

The proposal transfers admin control of 7 lending markets, the Comptroller, and the Oracle to the attacker's contract. Once admin, it can manipulate/drain every market.

We decompiled the unverified contract from Moonscan, and it really shows the attacker has the whole plan set and ready.

The transactions to prepare, propose, vote and exploit are all included into a single piece of malicious code.

$1808 dollars and a single transaction. That was all it took to acquire enough voting power.

The attacker deployed a contract that bought 40M MFAM on SolarBeam, self-delegated, created a proposal with "a legitimate title", and voted it past quorum

11 minutes. Start to finish.

With about 40h left for voting, other active wallets have enough power to defeat the attacker. Voting power was snapshotted at proposal creation, so buying MFAM now won't help.

Another defense path is the "Break Glass Guardian", a 2-of-3 multisig that can bypass the timelock and transfer admin powers away from the attacker before execution.

If 2 of the 3 signers act, the proposal can't be executed even if it passes.

If you have delegated MFAM, staked stkMFAM, or had Distributor allocations at block 15,616,694, your votes count.

Current tally: 43M FOR, 0 AGAINST.

Moonwell team: the Break Glass Guardian keys need to move. The execution window opens March 28.

While defeating the vote is the path with least side effects, it is also the more risky one.

Since the attacker can still have hidden wallets, ready to vote in the last block in case of opposition, we recommend the core team uses the Guardian to guarantee user funds are safe.