Hackers drain $4.1 million from Makina Finance via oracle manipulation in flash loan attack

Hackers stole approximately $4.1 million from Makina Finance early Tuesday by manipulating a price oracle to drain a Curve stablecoin pool, though MEV bots captured most of the stolen funds before the attacker could extract them, according to blockchain security firms PeckShield and CertiK.

The incident, which unfolded in the early hours of the day, saw attackers manipulate on-chain price data to siphon funds from Makina Finance’s DUSD/USDC liquidity pool, according to blockchain security firms tracking the breach.

Security firm PeckShield was among the first to flag the Makina finance exploit, reporting that approximately 1,299 Ether was ultimately extracted from the affected Curve pool.

At the time of the attack, the stolen funds were valued at roughly $4.1 million, making it one of the most significant DeFi incidents so far this year.

The Makina finance exploit comes as developers and investors attempt to restore confidence following a turbulent 2025, when billions of dollars were lost to hacks, exploits, and fraud across decentralized protocols.

How the Makina finance exploit unfolded

According to PeckShield’s initial analysis, the Makina finance exploit targeted non-custodial liquidity providers within the DUSD/USDC Curve pool, which relies on an on-chain oracle to determine asset pricing.

Oracles act as a critical bridge between external data and smart contracts, and any weakness in their design can be catastrophic.

In this case, attackers were able to interfere with the oracle mid-transaction, briefly feeding it distorted pricing data.

That manipulation allowed them to withdraw assets from the pool at artificially favorable rates, rapidly draining liquidity before the system could rebalance.

A security engineer at CertiK provided further technical detail, explaining that the exploit began with a massive flash loan.

“The attacker borrowed roughly 280 million USDC in a single transaction,” — CertiK security engineer, said in a public analysis.

Flash loans allow users to borrow large sums without collateral, provided the funds are repaid within the same transaction.

Of that borrowed amount, around 170 million USDC was used to skew the MachineShareOracle that reports pricing data to the pool.

Once the oracle began reporting inflated values, the attacker swapped about 110 million USDC against a pool holding only around $5 million in actual liquidity.

“A share-price oracle was pushed mid-transaction, letting a Curve pool pay out at an inflated rate,” — CertiK security engineer, said. “About 5.1 million USDC left the DUSD/USDC pool, with attacker profit estimated near 4.1 million.”

MEV activity complicates the Makina finance exploit

The Makina finance exploit did not play out in isolation. According to CertiK, the attacker’s transaction was partially front-run by a maximal extractable value (MEV) builder, significantly altering the final distribution of stolen funds.

MEV refers to the profit that block builders or validators can extract by reordering or inserting transactions before they are finalized on-chain.

In this case, an MEV entity identified by the address prefix 0xa6c2 captured a substantial share of the value as the exploit unfolded.

CertiK estimated that the MEV builder seized approximately $4.14 million of the roughly $5 million withdrawn from the stablecoin pool.

The remaining Ether was split between two addresses, with one wallet holding about $3.3 million in ETH and another holding roughly 276 ETH.

This dynamic illustrates how MEV activity can intersect with exploits, sometimes reducing the attacker’s net gains while raising broader concerns about fairness and transparency in block production.

For victims, however, the presence of MEV offers little consolation, as the underlying liquidity loss remains.

Makina responds as DeFi risks persist

Makina Finance, which launched in February and markets itself as an institutional-grade DeFi execution engine, acknowledged the incident publicly.

In a statement posted on its official X (formerly Twitter) account around 6:42 a.m. UTC, the team confirmed the Makina finance exploit but said the issue was limited in scope.

“The incident did not impact the entire protocol infrastructure,” — Makina Finance, said in its statement, adding that the team was actively investigating the breach.

Makina also urged liquidity providers in the affected DUSD Curve pool to withdraw their funds while the review continues, promising further updates once the incident analysis is complete.

Data from DeFiLlama shows that Makina Finance held roughly $100 million in total value locked prior to the exploit, highlighting the scale of assets potentially exposed to smart contract risk.

The Makina finance exploit lands against a sobering industry backdrop. A recent Cyvers Web3 Security and Fraud Report documented 108 security and fraud-related incidents last year, with more than $16 billion in crypto assets stolen across exchanges and trading platforms.

For crypto investors and DeFi users, the latest Makina finance exploit reinforces a familiar lesson: even protocols positioning themselves as institutional-grade remain vulnerable to sophisticated attacks, particularly those exploiting oracle design and flash loan mechanics.

As regulators, developers, and users push for safer infrastructure, incidents like this continue to test confidence in decentralized finance’s ability to police itself.