Makina Finance, a decentralized finance protocol on Ethereum, lost approximately $4.2 million after an attacker exploited a vulnerable oracle mechanism in its DUSD/USDC stableswap pool, with blockchain security firm CertiK tracing the majority of stolen funds to an MEV builder address.
What Happened: Stableswap Pool Drained
The attacker used a flash loan of 280 million USDC to execute the exploit, according to CertiK's analysis.
About 170 million USDC went toward manipulating the MachineShareOracle that the DUSD/USDC pool relies on for pricing.
The remaining 110 million USDC was then traded against the roughly $5 million pool, draining it almost entirely.
Security researcher n0b0dy identified the root cause as a permissionless function called "updateTotalAum()" that allows anyone to refresh the protocol's price anchor mid-transaction.
The oracle lacked time delays, volume-weighted average pricing, and access controls — allowing the attacker to bake manipulated pool balances into the accounting system within a single transaction.
TenArmor security systems detected the attack and confirmed approximately $4.2 million in losses.
Also Read: [Ethereum Staking Hits 30% All-Time High As $115B Gets Locked Away(https://yellow.com/news/ethereum-staking-hits-30-all-time-high-as-dollar115b-gets-locked-away)
Why It Matters: Oracle Design Flaws
The exploit highlights a persistent vulnerability in DeFi protocols that rely on spot-priced oracles without proper safeguards.
When share prices can be updated instantly from current pool balances, temporary imbalances created by flash loans become exploitable "truth" for pricing calculations.
Any pool trading DUSD against that oracle effectively became a payout mechanism for the attacker.
Read Next: ASTER Hits All-Time Low At $0.61 Despite Strategic Buyback Activation