Makina suffers $4.13M exploit in DUSD/USDC Curve pool

Makina, a decentralized finance protocol with automated execution, suffered an exploit early Tuesday morning that drained its DUSD/USDC liquidity pool on Curve, according to blockchain security firm PeckShield. 

Makina Finance has reportedly lost about 1,299 Ether from its Curve stablecoin pool to hackers. It was valued at about $4.13 million at the time. Per Peckshield’s analysis, attackers breached protocol’s non-custodial liquidity providers on the DUSD/USDC CurveStable pool, which uses an on-chain pricing data feed oracle. 

Oracles provide smart contracts with external information, such as asset prices, which the hackers exploited mid-transaction and withdrew the tokens at an artificially favorable rate.

Makina hacker used flash loans to snipe $5 million away

According to a security engineer at CertiK, the perpetrator began by borrowing 280 million USDC without upfront collateral, on the condition that the funds would be repaid in the same transaction.

Out of the borrowed amount, about 170 million USDC was used to interfere with the MachineShareOracle, which is responsible for reporting share prices to the pool. After injecting capital borrowed via a flash loan, they were able to temporarily skew the oracle’s price data and trick it into trusting inaccurate pricing information.

When the oracle began reporting inflated values, the attacker swapped approximately 110 million USDC against a pool that held only around $5 million in liquidity. Since the pool believed assets were worth more than they actually were, it paid out far more than it should have and emptied itself. 

“A share-price oracle was pushed mid-tx, letting a Curve pool pay out at an inflated rate. ~5.1M USDC left the DUSD/USDC pool, the attacker profits about 4.1M,” said the security engineer.

Makina Finance was launched last February, marketing itself as an institutional-grade DeFi execution engine. According to data from DeFiLlama, the protocol holds approximately $100.49 million in total value locked. 

MEV builder cut the Makina exploit numbers by $800k

The hacker took the DUSD proceeds and swapped them into ether, executing several transactions to consolidate and reposition the assets. However, according to CertiK, the exploit transaction was partially frontrun by an MEV builder. 

Maximal extractable value is the profit that either block builders and validators can maximize by reordering, injecting, and censoring transactions before being processed on-chain. In this case, an MEV entity identified by the address prefix 0xa6c2 racked up the majority of the value as the exploit played out. 

CertiK estimated that the MEV builder seized approximately $4.14 million out of the $5 million they had withdrawn from the stablecoin pool.

The MEV routing split the remaining ether between two addresses: the first (0xbed) held $3.3 million in ETH, and the other (0x573d) held roughly 276 ETH.

At around 6:42 AM UTC Tuesday, Makina Finance wrote a statement on X acknowledging the hack but insisted the issue did not affect the entire protocol’s infrastructure.

Makina also asked liquidity providers in the DUSD Curve pool to remove their liquidity as it determines “the appropriate next steps for affected users and LPs.” The team also promised to provide the community with more updates as soon as the incident review is complete.

The DeFi protocol’s flash loan attack spells doom for a year that crypto users had hoped to walk away from unscathed, after a dreadful 2025 that saw over $3 billion stolen from the market. 

A Web3 Security and Fraud Report from Cyvers documented 108 fraud and security-related incidents last year, and about $16 billion in crypto assets swindled from at least 140 exchanges and trading platforms.

Cyvers also reported more than 4.2 million fraudulent transactions from 780,000 addresses and nearly 19,000 active fraud networks, involving assets such as USDT, ETH, and USDC.

If you're reading this, you’re already ahead. Stay there with our newsletter.