Makina’s $4M Hack due to Oracle Manipulation

On January 20, 2026, the Makina DeFi protocol — an execution engine for on-chain yield and asset management — suffered a ~$4 million exploit targeting its Dialectic USD (DUSD)/USDC Curve stableswap pool. The attack stemmed from oracle manipulation via external Curve Finance integrations, where unvalidated pool data was used to calculate assets under management (AUM) and sharePrice.

By leveraging flash loans, the attacker artificially inflated AUM values, manipulated sharePrice calculations, and extracted profit in a single transaction. While the exploit impacted only the DUSD/USDC pool, it highlighted a broader and recurring DeFi risk: over-reliance on external liquidity data without adequate safeguards.

How the Exploit Worked?

The attacker executed a carefully orchestrated multi-step attack using large flash loans sourced from Morpho and Aave V2. These borrowed funds were temporarily injected into multiple Curve pools to distort liquidity balances and pricing assumptions.

First, the attacker added liquidity to Makina’s DUSD/USDC pool and swapped USDC for DUSD, positioning themselves to benefit from price manipulation. They then added substantial liquidity to Curve’s DAI/USDC/USDT and MIM-related pools, receiving LP tokens that were later partially withdrawn to skew pool balances.

These manipulated balances were critical. Makina’s Caliber contract relied on external Curve functions — such as calc_withdraw_one_coin() and pool balance readings—to compute positional AUM. With liquidity temporarily inflated, these calculations produced artificially high values.

Once the attacker called accountForPosition(), the inflated external data propagated through Makina’s accounting system. The protocol’s total AUM jumped significantly, pushing the sharePrice from ~1.01 to ~1.33 within the same transaction.

With the sharePrice distorted, the attacker arbitraged the DUSD/USDC pool, withdrew liquidity, and repeated the cycle until the pool’s USDC reserves were largely drained. After unwinding the flash loans, the attacker converted the stolen funds to ETH and transferred ~1,299 ETH to external addresses.

Notably, part of the transaction was front-run by an MEV bot, which captured a portion of the profit — further illustrating how composability amplifies loss surfaces during exploits.

Root Cause: Unchecked External Data

At its core, the vulnerability lay in Makina’s trust assumptions. External pool data was treated as reliable input for critical accounting logic, without sufficient sanity checks, rate limits, or flash-loan resistance. The use of upgradeable contracts and the absence of time-weighted or delayed AUM calculations compounded the issue.

This exploit reinforces a key DeFi lesson: external data should inform systems — not directly dictate their financial state.

Notably, many of the largest DeFi exploits in 2025 followed similar patterns, where untrusted external data and integration assumptions were repeatedly abused at scale. These recurring failure modes are analyzed in depth in our Web3 2025 Hack Report, which examines how such vulnerabilities continue to dominate real-world attacks.

Want the Full Technical Breakdown?

Aftermath and Response

Following the attack, Makina paused protocol operations, advised LPs on withdrawal options, and coordinated with multiple security firms for investigation and recovery. A 10% whitehat bounty was offered to the exploiter, though no funds had been returned at the time of writing.

Makina’s $4M Hack due to Oracle Manipulation was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.