Dark trading floor shows computer screens with flash loan exploit alert and Curve Pool logo behind shattered glass
Posted inBreaking News Tech News

DeFi Suffers $4.1M Flash-Loan Blow

No Comments

At a Glance

  • Makina Finance lost 1,299 ETH in a January 20 flash-loan exploit
  • Attacker borrowed 280 million USDC to manipulate the DUSD/USDC pool oracle
  • $4.13 million drained before funds split between two wallets
  • Why it matters: Another oracle-manipulation attack underscores ongoing DeFi security gaps

Makina Finance became the latest DeFi casualty after an attacker used a 280 million USDC flash loan to distort pricing data and siphon $4.1 million from its DUSD/USDC Stableswap pool.

How the Attack Unfolded

Blockchain security firm PeckShieldAlert first flagged the breach on X, reporting that roughly 1,299 ETH-about $4.13 million-had been stolen from the protocol.

On-chain records show the hacker:

  • Took out a 280 million USDC flash loan
  • Funneled 170 million USDC to manipulate the MachineShareOracle
  • Swapped 110 million USDC through the pool to extract $5 million in value

A MEV bot operating from address 0xa6c2 front-ran the malicious transaction, draining the 1,299 ETH before the attacker could complete the final moves. The stolen assets were later split:

Smartphone shows concerned face with red exclamation mark and Makina Finance text warning about flash loan exploit with faint
Destination address Amount held
0xbed2 $3.3 million
0x573d $880,000

Protocol Response

Makina Finance addressed users on social media:

> “Gmak, early this morning we received reports regarding an incident with the $DUSD Curve pool.”

The team stressed that only DUSD liquidity-provider positions on Curve were affected; other assets and deployments remain untouched. Underlying assets stored in the protocol’s machines are secure, they added.

As a protective step, security mode has been activated across all machines while the investigation continues. Liquidity providers in the DUSD Curve pool have been urged to withdraw funds.

Wider DeFi Fallout

The incident follows last week’s Truebit Protocol breach, which cost the project $26.5 million in ETH. In that case, the attacker exploited a smart-contract pricing flaw to mint TRU tokens at no cost. No recovery plan has been announced, and the stolen funds still sit on-chain.

Security vendors SlowMist and Certik have since published post-mortems warning that outdated Solidity versions pose systemic risks. They recommend wrapping calculations with the SafeMath library to prevent integer-overflow vulnerabilities.

Key Takeaways

  • Oracle manipulation remains a popular attack vector when pricing data can be distorted with large flash loans
  • MEV bots can front-run malicious transactions, complicating fund recovery
  • Protocols relying on single oracles face heightened risk
  • Outdated Solidity versions continue to expose DeFi projects to known exploits

Sophia A. Reynolds reported for News Of Los Angeles.

Author

  • My name is Sophia A. Reynolds, and I cover business, finance, and economic news in Los Angeles.

    Sophia A. Reynolds is a Neighborhoods Reporter for News of Los Angeles, covering hyperlocal stories often missed by metro news. With a background in bilingual community reporting, she focuses on tenants, street vendors, and grassroots groups shaping life across LA’s neighborhoods.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *