Makina’s $4.13M Exploit Rocks DUSD/USDC Curve Pool — DeFi’s Latest Vulnerability Exposed
Another day, another multi-million dollar hole in DeFi's supposedly bulletproof armor.
Makina just watched $4.13 million vanish from its DUSD/USDC liquidity pool on Curve—a stark reminder that in crypto, the only sure thing is smart contract risk. The exploit didn't just drain funds; it drained confidence, highlighting the persistent gap between theoretical security and on-chain reality.
How the Breach Went Down
The attacker didn't need a fancy zero-day—just a clever manipulation of the pool's pricing mechanism. By exploiting a logic flaw in the pool's balancing algorithm, they artificially skewed the exchange rate between DUSD and USDC. A few well-timed swaps later, and the liquidity was siphoned into a private wallet. The whole operation was over in minutes, leaving the pool imbalanced and users holding the bag. Classic DeFi: innovate first, secure maybe later.
The Aftermath & The Blame Game
Makina's team is scrambling—issuing statements, pausing contracts, and promising a post-mortem. The usual playbook. Meanwhile, the Curve pool sits wounded, its TVL cratered and its users questioning the very stability of 'stable' coin pairs. It's the decentralized finance equivalent of a bank run, except there's no FDIC insurance and the fine print is written in Solidity.
Why This Keeps Happening
Speed over security. Yield over audits. The relentless push to deploy and attract liquidity creates a breeding ground for these exploits. Each new protocol layers complexity upon complexity, and somewhere in that stack, a single miswritten line of code can cost millions. It's the tax of innovation, paid in real time by whoever's unlucky enough to be providing liquidity that week. A cynical observer might call it a wealth transfer mechanism masquerading as a financial revolution.
DeFi's resilience is being tested—not by regulators, but by its own foundational code. Until the industry prioritizes robust security on par with financial yield, these multi-million dollar headlines will keep coming. The next exploit isn't a matter of 'if,' but 'when' and 'which pool.' Trust the code, they said. It'd be easier if the code wasn't so full of holes.
Makina hacker used flash loans to snipe $5 million away
According to a security engineer at CertiK, the perpetrator began by borrowing 280 million USDC without upfront collateral, on the condition that the funds WOULD be repaid in the same transaction.
Out of the borrowed amount, about 170 million USDC was used to interfere with the MachineShareOracle, which is responsible for reporting share prices to the pool. After injecting capital borrowed via a flash loan, they were able to temporarily skew the oracle’s price data and trick it into trusting inaccurate pricing information.
🚨 Another exploit today (4.1M):
Flashloan + permissionless AUM refresh is a dangerous combo.
A share-price oracle was pushed mid-tx, letting a Curve pool pay out at an inflated rate. ~5.1M USDC left the DUSD/USDC pool, the attacker profits about 4.1M. pic.twitter.com/t4RKYoUWDl
— n0b0dy (@nn0b0dyyy) January 20, 2026
When the oracle began reporting inflated values, the attacker swapped approximately 110 million USDC against a pool that held only around $5 million in liquidity. Since the pool believed assets were worth more than they actually were, it paid out far more than it should have and emptied itself.
“A share-price oracle was pushed mid-tx, letting a Curve pool pay out at an inflated rate. ~5.1M USDC left the DUSD/USDC pool, the attacker profits about 4.1M,” said the security engineer.
Makina Finance was launched last February, marketing itself as an institutional-grade DeFi execution engine. According to data from DeFiLlama, the protocol holds approximately $100.49 million in total value locked.
MEV builder cut the Makina exploit numbers by $800k
The hacker took the DUSD proceeds and swapped them into ether, executing several transactions to consolidate and reposition the assets. However, according to CertiK, the exploit transaction was partially frontrun by an MEV builder.
Maximal extractable value is the profit that either block builders and validators can maximize by reordering, injecting, and censoring transactions before being processed on-chain. In this case, an MEV entity identified by the address prefix 0xa6c2 racked up the majority of the value as the exploit played out.
CertiK estimated that the MEV builder seized approximately $4.14 million out of the $5 million they had withdrawn from the stablecoin pool.
The MEV routing split the remaining ether between two addresses: the first (0xbed) held $3.3 million in ETH, and the other (0x573d) held roughly 276 ETH.
At around 6:42 AM UTC Tuesday, Makina Finance wrote a statement on X acknowledging the hack but insisted the issue did not affect the entire protocol’s infrastructure.
Gmak, early this morning we received reports regarding an incident with the $DUSD Curve pool
At this stage, the issue appears to be isolated to DUSD LP positions on Curve. There is currently no indication that other assets or deployments are affected.
Underlying assets held in…
— Makina (@makinafi) January 20, 2026
Makina also asked liquidity providers in the DUSD Curve pool to remove their liquidity as it determines “the appropriate next steps for affected users and LPs.” The team also promised to provide the community with more updates as soon as the incident review is complete.
The DeFi protocol’s flash loan attack spells doom for a year that crypto users had hoped to walk away from unscathed, after a dreadful 2025 that saw over $3 billion stolen from the market.
A Web3 Security and Fraud Report from Cyvers documented 108 fraud and security-related incidents last year, and about $16 billion in crypto assets swindled from at least 140 exchanges and trading platforms.
Cyvers also reported more than 4.2 million fraudulent transactions from 780,000 addresses and nearly 19,000 active fraud networks, involving assets such as USDT, ETH, and USDC.
If you're reading this, you’re already ahead. Stay there with our newsletter.
