Exploit Details: Stableswap Pool Drained
Makina Finance, a decentralized finance protocol operating on Ethereum, experienced a significant loss of approximately $4.2 million. The exploit targeted its DUSD/USDC stableswap pool, stemming from a vulnerability in its oracle mechanism. Blockchain security firm CertiK has identified that the majority of the stolen funds were transferred to an MEV builder address.
The attacker executed the exploit by utilizing a flash loan of 280 million USDC. According to CertiK's analysis, approximately 170 million USDC was used to manipulate the MachineShareOracle, which is crucial for determining the pricing of the DUSD/USDC pool.
Following the manipulation of the oracle, the remaining 110 million USDC was then traded against the approximately $5 million pool, resulting in its near-total draining.
Security researcher n0b0dy pinpointed the core issue to a permissionless function named "updateTotalAum()". This function allows any user to refresh the protocol's price anchor during the course of a transaction. The oracle was found to be lacking essential safeguards such as time delays, volume-weighted average pricing, and access controls. This deficiency enabled the attacker to embed manipulated pool balances into the accounting system within a single transaction.
The attack was detected by TenArmor security systems, which confirmed the loss of approximately $4.2 million.
Implications: Oracle Design Flaws in DeFi
This exploit underscores a recurring vulnerability within decentralized finance protocols that depend on spot-priced oracles without implementing adequate protective measures. When the share prices can be instantaneously updated based on current pool balances, temporary imbalances introduced by flash loans can be exploited as the perceived "truth" for pricing calculations. Consequently, any pool trading DUSD against such an oracle effectively transformed into a mechanism for the attacker to extract funds.