Makina Finance Hit by Flash‑Loan Exploit, Losing Over $4.1M as Curve Pool Is Drained

TL;DR

• An attacker drained 1,299 ETH from the DUSD/USDC pool by manipulating the price oracle.
• MEV bots intercepted the original transaction to execute offensive arbitrage operations.
• The team activated security mode and confirmed that underlying assets remain safe.

---

The year 2026 begins with a new security incident for the DeFi sector, as a flash loan exploit on Makina Finance was confirmed this January 20. According to reports from security firms such as PeckShield and CertiK, the protocol lost approximately 1,299 ETH, equivalent to about $4.13 million.

Gmak, early this morning we received reports regarding an incident with the $DUSD Curve pool

At this stage, the issue appears to be isolated to DUSD LP positions on Curve. There is currently no indication that other assets or deployments are affected.

Underlying assets held in…

— Makina (@makinafi) January 20, 2026

The attack directly targeted the Dialectic USD/USDC Stableswap pool within the Curve platform. The perpetrator initiated the operation by obtaining a 280 million USDC flash loan, using a substantial portion to manipulate the price oracle upon which the pool depends.

Subsequently, the attacker executed massive swaps that allowed them to extract a value close to $5 million. However, a Maximum Extractable Value (MEV) bot detected the maneuver and managed to front-run the transactions, capturing a large portion of the drained funds.

Technical Analysis and Security Team Response

The stolen funds are currently distributed across two Ethereum addresses, while authorities and on-chain analysts track the attacker’s steps. For its part, Makina Finance issued a statement clarifying that the issue is exclusively limited to DUSD liquidity positions on Curve.

#PeckShieldAlert @makinafi has been exploited for ~1,299 $ETH (~$4.13M).

The hacker was frontrun by MEV Builder (0xa6c2…).

The stolen funds are currently held in 2 addresses:
0xbed2…dE25 ($3.3M) & 0x573d…910e ($880K) pic.twitter.com/Q5WzHpfq7j

— PeckShieldAlert (@PeckShieldAlert) January 20, 2026

Fortunately, the technical team assured that there are no signs that other assets or protocol deployments were compromised during the incident. As an immediate precautionary measure, security mode was activated across all its “machines” to prevent further damage.

This new security incident occurs just one week after the multi-million dollar Truebit Protocol hack, underlining the persistent risks in decentralized finance. Experts from SlowMist and CertiK warn that the use of outdated Solidity versions continues to represent a systemic threat to the entire crypto ecosystem.

🚨 Another exploit today (4.1M):

Flashloan + permissionless AUM refresh is a dangerous combo.

A share-price oracle was pushed mid-tx, letting a Curve pool pay out at an inflated rate. ~5.1M USDC left the DUSD/USDC pool, the attacker profits about 4.1M. pic.twitter.com/t4RKYoUWDl

— n0b0dy (@nn0b0dyyy) January 20, 2026

In summary, liquidity providers in the affected pool have been instructed to withdraw their funds immediately to mitigate risks. Meanwhile, the development team continues to assess the damage and work on a comprehensive recovery plan for users affected by this attack.