Exploit Details Emerge
Blockchain security firm CertiK has flagged a suspected exploit at decentralized finance protocol Makina Finance, reporting that approximately $5 million was drained from one of its stablecoin pools. CertiK's analysis indicates that the attack utilized a substantial flash loan, valued at around $280 million in USDC. This large loan was reportedly used to manipulate on-chain pricing mechanisms, enabling the extraction of liquidity.
As of the time of this report, the protocol has not issued a formal confirmation of the exploit. On-chain data analyzed by CertiK shows that the stolen funds are currently held in two distinct addresses, one linked to the attacker and another to a miner-extractable value (MEV) builder. No recovery efforts or compensation plans have been publicly announced by Makina Finance.
Makina Finance commenced operations in February 2025, positioning itself as a DeFi execution engine designed for institutional users with its offering of strategy vaults. Prior to this incident, the protocol's total value locked (TVL) was approximately $100 million, according to publicly accessible DeFi tracking data.
Investor Takeaway
Flash-loan-driven exploits continue to represent a significant risk within the Decentralized Finance space, impacting even newer protocols that boast substantial total value locked and institutional branding.
Mechanism of the Stablecoin Pool Drain
CertiK's detailed breakdown suggests that the attacker specifically targeted Makina's DUSD/USDC Curve stablecoin pool. The exploiter initiated the attack by borrowing 280 million USDC through a flash loan. Subsequently, approximately 170 million USDC was employed to skew the pricing data supplied by the MachineShareOracle, a critical component that the pool relies on for calculating exchange rates.
Once the oracle data was compromised, the attacker proceeded to swap around 110 million USDC against a pool that contained only about $5 million in liquidity. This severe imbalance allowed the attacker to drain the pool's assets before repaying the initial flash loan within the same transaction. Other security firms have reported slightly varying estimates of the financial losses. GoPlus Security placed the figure close to $5.1 million, while PeckShield calculated the damage at approximately $4.13 million when converted to ether.
CertiK further noted that an MEV builder acquired a substantial portion of the drained funds—around $4.14 million—following the execution of the exploit.
Makina Finance's Response
Makina Finance has not yet officially acknowledged a confirmed exploit through its primary social media channels. In an initial communication posted on its Discord server, the team stated that they were "aware of posts circulating about a potential incident" and were in the process of verifying the details. Approximately two hours later, the team provided a second update on Discord, indicating that the issue "appears to be isolated to DUSD LP positions on Curve" and advised liquidity providers to withdraw their funds.
This statement stopped short of confirming any losses or outlining concrete next steps. The absence of a clear, public statement has led users to rely on information from third-party security firms for details regarding the incident. As of the current time, there has been no disclosure concerning paused contracts, emergency governance actions, or discussions with validators or MEV builders.
Investor Takeaway
Delayed or limited communication following a security incident can heighten uncertainty for liquidity providers, even in situations where losses appear to be confined to a single pool.
Recurring Vulnerabilities in Oracle Attacks
The incident at Makina Finance aligns with a recurring pattern observed in DeFi exploits: the use of flash loans to overwhelm limited liquidity or manipulate oracle inputs. Even protocols that utilize established pool designs or pricing feeds can be vulnerable to edge cases when attackers introduce disproportionately large, short-lived capital. Stablecoin pools are often perceived as lower-risk targets due to the similar pricing of their assets. However, this perception can obscure underlying vulnerabilities, particularly when oracles depend on pool balances or share-based calculations that react poorly under extreme market conditions.
The involvement of MEV builders introduces an additional layer of complexity. In this particular case, CertiK reported that a builder captured the majority of the profits, raising questions about the ultimate amount of value retained by the attackers and the frequency with which third parties profit from the aftermath of exploits rather than the exploits themselves.
Context within the Broader Security Landscape
The suspected exploit at Makina Finance adds to a year already marked by significant crypto losses. According to data from Chainalysis, crypto theft surpassed $3.41 billion in 2025, with state-linked actors responsible for a substantial portion of this total. While the Makina incident does not appear to be connected to state-backed groups, it underscores the ongoing prevalence of technical attacks alongside geopolitical threats in the digital asset space.