Makina, a decentralized finance protocol known for its automated execution capabilities, experienced an exploit early Tuesday morning. The attack resulted in the draining of its DUSD/USDC liquidity pool on the Curve platform, according to information from blockchain security firm PeckShield.
Makina Finance has reportedly lost approximately 1,299 Ether from its Curve stablecoin pool to the hackers. At the time of the incident, this amount was valued at around $4.13 million. PeckShield's analysis indicates that the attackers gained access to the protocol's non-custodial liquidity providers within the DUSD/USDC Curve Stable pool, which utilizes an on-chain pricing data feed oracle.
Oracles are crucial components that provide smart contracts with external information, such as asset prices. The hackers exploited this system mid-transaction, enabling them to withdraw tokens at an artificially favorable exchange rate.
Exploit Details: Flash Loans and Oracle Manipulation
According to a security engineer from CertiK, the perpetrator initiated the attack by borrowing 280 million USDC without requiring upfront collateral. This borrowing was contingent on the funds being repaid within the same transaction.
Of the borrowed sum, approximately 170 million USDC was used to interfere with the MachineShareOracle. This oracle is responsible for reporting share prices to the liquidity pool. By injecting capital obtained through a flash loan, the attackers were able to temporarily skew the oracle's price data, misleading it into accepting inaccurate pricing information.
🚨 Another exploit today (4.1M):
— n0b0dy (@nn0b0dyyy) January 20, 2026
Flashloan + permissionless AUM refresh is a dangerous combo.
A share-price oracle was pushed mid-tx, letting a Curve pool pay out at an inflated rate. ~5.1M USDC left the DUSD/USDC pool, the attacker profits about 4.1M. pic.twitter.com/t4RKYoUWDl
Once the oracle began reporting inflated asset values, the attacker proceeded to swap roughly 110 million USDC against a pool that contained only about $5 million in liquidity. Because the pool perceived the assets as being worth significantly more than their actual value, it dispensed far more than it should have, leading to its depletion.
The security engineer commented, "A share-price oracle was pushed mid-tx, letting a Curve pool pay out at an inflated rate. ~5.1M USDC left the DUSD/USDC pool, the attacker profits about 4.1M."
Makina Finance, which launched in February of the previous year, positioned itself as an institutional-grade DeFi execution engine. According to data from DeFiLlama, the protocol currently holds approximately $100.49 million in total value locked.
MEV Builder's Intervention in the Exploit
The hacker converted the stolen DUSD proceeds into Ether, executing multiple transactions to consolidate and reposition these assets. However, CertiK reported that the exploit transaction was partially frontrun by a Maximal Extractable Value (MEV) builder.
Maximal extractable value refers to the profit that block builders and validators can achieve by reordering, injecting, or censoring transactions before they are processed on the blockchain. In this specific incident, an MEV entity, identified by the address prefix 0xa6c2, captured the majority of the value as the exploit unfolded.
CertiK estimated that the MEV builder seized approximately $4.14 million of the $5 million that was withdrawn from the stablecoin pool.
The MEV routing resulted in the remaining Ether being split between two distinct addresses. The first address, denoted by the prefix 0xbed, held $3.3 million in ETH, while the second address, 0x573d, held approximately 276 ETH.
Makina Finance's Response and Broader Context
At approximately 6:42 AM UTC on Tuesday, Makina Finance released a statement on X (formerly Twitter) acknowledging the hack. The company emphasized that the issue appeared to be isolated and did not compromise the entire protocol's infrastructure.
Gmak, early this morning we received reports regarding an incident with the $DUSD Curve pool
— Makina (@makinafi) January 20, 2026
At this stage, the issue appears to be isolated to DUSD LP positions on Curve. There is currently no indication that other assets or deployments are affected.
Underlying assets held in…
Makina also urged liquidity providers in the DUSD Curve pool to withdraw their liquidity while the team determined "the appropriate next steps for affected users and LPs." The team committed to providing further updates once the incident review was concluded.
This flash loan attack on the DeFi protocol marks another significant security breach in a year that many in the crypto community had hoped would be free from major exploits, following a challenging 2025 during which over $3 billion was reportedly stolen from the market.
A Web3 Security and Fraud Report compiled by Cyvers documented 108 fraud and security-related incidents in the previous year. The report indicated that approximately $16 billion in crypto assets were swindled from at least 140 exchanges and trading platforms.
Cyvers also identified over 4.2 million fraudulent transactions originating from 780,000 addresses and nearly 19,000 active fraud networks. These activities involved major assets such as USDT, ETH, and USDC.