Moonwell
About
Moonwell is an open and decentralized lending and borrowing protocol built on Base, Optimism, Moonbeam, and Moonriver. Users can supply assets into single-sided money markets to earn variable interest, or over-collateralize supplied assets to borrow other digital assets. The protocol also offers Moonwell Morpho Vaults (ERC-4626 compliant) that dynamically allocate single-asset deposits across Morpho isolated lending markets for optimized capital efficiency, plus a Safety Module for staking governance tokens (WELL and MFAM) to earn rewards while backstopping the protocol.
Where Does Yield Come From?
Moonwell generates yield through several different mechanisms, each with its own source of earnings and flow of funds.
Lending markets (money markets): People who supply assets into single-sided pools earn variable interest that is paid by borrowers. The interest rate changes based on how much of the pool's money is being borrowed (utilization). When utilization climbs past a certain point (called the "kink"), rates rise sharply to keep liquidity available. A small slice of all borrower interest payments, set by the protocol's governance system, is sent to the protocol's own reserves to keep the system sustainable.
Moonwell Morpho Vaults: These vaults accept deposits of a single asset and mint proportional share tokens in return. They automatically spread deposited funds across different Morpho lending markets, following risk settings chosen by curators (Block Analitica and B.Protocol). Yield comes from borrower fees that build up block by block and are auto-compounded into depositor positions. Additional rewards from the Morpho DAO may also be distributed. The vault roles are split: the Moonwell DAO owns the system, curators set risk parameters, allocators move funds around, and a guardian can veto changes via a timelock.
The Moonwell Flagship USDC Vault: This vault connects with Virtual Accounts to turn fiat money into USDC without fees, then deposits into yield-bearing lending markets.
Safety Module staking: Holders of WELL and MFAM tokens can stake them to get stkWELL/stkMFAM and earn staking rewards. In return, these staked tokens act as a backstop if something goes wrong — like a smart contract exploit, failed liquidation, or oracle failure. In such a shortfall event, up to 30% of staked tokens may be taken (slashed) to cover the losses.
Reserve Auctions: An automated onchain system auctions off the protocol's reserve tokens for WELL at changing discounts. Each two-week cycle is divided into 56 six-hour mini-auctions. Prices start above market (at a premium) and gradually drop to a maximum discount, using Chainlink price feeds. Participants bid WELL to get reserve assets at a discount.
Governance-approved incentive programs: Through Moonwell Improvement Proposals (MIPs), the community can approve extra WELL token rewards to be paid out as supply or borrow incentives in specific markets, attracting more activity.
Persons
Luke Youngblood
Founding Contributor (Lunar Labs); Security Council Member
x0s0l
Founding Contributor (Lunar Labs); Security Council Member
Akira
Founding Contributor (Lunar Labs)
0xMaki
Advisor
Brandon Kase
Advisor
Justin Lee
Advisor
Mason Borda
Advisor
Elliot Friedman
Security Council Member
Coolhorsegirl
Security Council Member
Audits
| Audit / Date | Findings | Verdict |
|---|---|---|
Halborn06-03-2025 |
| The audit identified one informational finding (outdated compiler version) with zero critical, high, medium, or low severity issues, indicating a low-risk security posture for the scoped contract. |
Halborn03-02-2025 - 05-02-2025 |
| The audit identified no critical, high, or medium severity vulnerabilities; the single Low (oracle staleness) and single Informational (division-by-zero edge case) finding were either risk-accepted or acknowledged by the Moonwell team, indicating a clean security posture for the scoped contracts at the time of assessment. |
Halborn15-07-2024 - 17-07-2024 |
| This audit returned no findings across all severity levels, indicating the assessed smart contract modifications were implemented without introducing security vulnerabilities or design flaws. The report confirms that Moonwell's protocol updates (cross-chain governance and routing changes) passed both manual and automated review with a clean result. |
Halborn21-05-2024 - 24-05-2024 |
| This audit found no Critical or High severity vulnerabilities; the single Medium issue and both Low issues were either remediated or risk-accepted, and the Informational finding was acknowledged, indicating a solid security posture at the time of the engagement. |
Halborn08-04-2024 - 10-04-2024 |
| The audit found zero vulnerabilities across all severity levels, indicating the AxelarBridgeAdapter.sol contract was assessed as secure within the defined scope with no findings to remediate. |
Halborn12-03-2024 - 19-03-2024 |
| The audit found no high, medium, or low severity vulnerabilities, confirming the MToken Fixes contracts were in strong security condition with only 3 informational-level observations (all acknowledged by the team). No residual risks of material impact were identified. |
CodeHawks (Cyfrin)04-03-2024 - 11-03-2024 |
| The contest found no critical or high-severity vulnerabilities, with one medium (inflated reward accumulation for the liquidator after fixUser) and one low (misleading getCashPrior return) — both manageable risks that do not compromise core protocol solvency or user funds. |
Kauz Security29-01-2024 - 02-02-2024 |
| The audit found only four low-severity issues and no critical or high-severity unresolved vulnerabilities, indicating that the Wormhole-based multichain governance integration has a reasonable security posture for deployment. Developers should remediate the reported low-severity items—particularly the unused governanceRollbackAddress and missing gap variables—before or shortly after launch. |
Halborn15-11-2023 - 01-01-2024 |
| The Halborn audit found one high-severity and two informational issues, all of which were resolved by the Moonwell team before finalization, leaving no unresolved security risks in the xWELL token and rate-limiting contracts. |
Halborn16-08-2023 - 24-08-2023 |
| The audit identified one high-risk inflation attack vector that was remediated before deployment, and the remaining medium/low/informational issues were either fixed or acknowledged, resulting in a reasonable security posture for the Compound vault contracts. |
Halborn16-07-2023 - 16-08-2023 |
| The audit found no critical vulnerabilities and all 21 identified issues were addressed, with most remediated in code and a few low-risk or informational items acknowledged, indicating a strong security posture for the Moonwell V2 contracts update. |
Code4rena24-07-2023 - 31-07-2023 |
| The audit identified no critical or high-severity vulnerabilities, with 17 medium-severity findings covering deploy configuration errors, cross-chain governance edge cases, oracle safeguards, and reward-distribution risks; these were largely confirmed by the sponsor and are manageable through configuration changes and code hardening before mainnet deployment. |
Halborn18-09-2022 - 26-09-2022 |
| Halborn identified one high-severity governance logic flaw that was promptly remediated, and eight informational code-quality items all resolved, with no critical or medium issues uncovered, indicating that the Moonwell governance contracts were in a secure state at the time of this assessment. |
Halborn10-08-2022 - 17-08-2022 |
| The audit identified two medium-severity issues and three informational findings, all of which were fully remediated by the Moonwell team, indicating a thorough and responsive security process for the Governance & Timelock contracts. |
Halborn08-06-2022 - 21-07-2022 |
| This cloud security assessment identified infrastructure misconfigurations typical of AWS environments; however, most critical and high-risk findings were remediated by decommissioning temporary resources or reconfiguring services, with only a few accepted risks for non-production or low-sensitivity workloads. The audit does not cover Moonwell's smart contract code, so it says nothing about on-chain security. |
Halborn05-04-2022 - 17-06-2022 |
| The audit found no critical or high-severity issues; the three medium-severity concerns were either remediated or risk-accepted by the Moonwell team. Overall, the engagement indicates a reasonable security posture for the scoped token sale contracts at the time of assessment. |
Halborn08-02-2021 - 13-02-2021 |
| The audit found no critical or high-risk vulnerabilities; the two low-severity and three informational issues were all either resolved or determined not applicable, indicating the Safety Module contracts were in a sound security posture at the time of review. |
Legal
Legal form
Foundation (Cayman Islands entity)
Registration jurisdiction
Cayman Islands
Status and notes
Operator is the Moonwell Foundation (referred to as "the Company" in the Terms of Service). The Foundation is a Cayman Islands entity with a Board of Directors residing in the Cayman Islands, governed by its Memorandum and Articles of Association (M&A) and Bylaws. Terms of Service are published as a PDF on the docs site (dated November 29, 2024). Contact: [email protected]. The ToS references a Privacy Policy but no standalone privacy policy page was found on the main website. Governing law and dispute resolution are specified under Cayman Islands law, with arbitration by the Cayman International Mediation and Arbitration Centre (CI-MAC).