On January 20, Makina Finance (MakinaFi), the DeFi execution engine, suffered from a $4.13 million loss in Ethereum. After several on-chain investigators like PeckShieldAlert took the incident to the social media platform X, the MakinaFi team responded, addressing the users of its mitigation measures.
Hackers reportedly stole nearly 1,299 Ethereum (ETH) worth of $4.13 million and moved them to two wallet addresses after exploiting a vulnerability in the Curve DUSD/USDC liquidity pool.
MakinaFi’s recovery measures
The MakinaFi team shared details of the recovery process, which was carried out with assistance from Dialectic, the operator of the DUSD Machine on MakinaFi. The team found out that the exploit involved several parties and took place over an approximately 11-minute period.
A wallet address related to a hacker deployed a hard-coded smart contract that was not publicly verified. The smart contract appeared to have been created to manipulate the price data of the Curve’s DUSD/USDC liquidity pool.
In other words, the hackers manipulated the price oracle, the tool that sends information regarding price to a blockchain/smart contract. The attacker tried to trick the oracle used by the DUSD/USDC liquidity pool, creating a fake price value.
MEV (Maximal Extractable Value) builder, a specialized trading bot, however, spotted the attacker’s smart contract, copied the same contract, and constructed blocks of transactions before hackers could take the profit.
Although it was earlier reported that hackers could not get the entire profit, the latest information from MakinaFi noted that the profits – 1,299 ETH – were then split between “the block builder and the Rocket Pool Validator that validated the block.”
Funds in DUSD remain safe
The exploitation did not affect other Curve pools like DBIT/WBTC and DETH/WETH. The attack solely hit the USDC side of the Curve DUSD/USDC pool. However, the team is currently trying to recover the remaining funds with the MEV builder, including contacting the Rocket Pool Validator.
Importantly, trading activity during the exploit has caused the DUSD machine on MakinaFi to automatically receive some fees. For newbies, the DUSD machine is the DUSD stablecoin’s smart contract system.
Dialectic will help transfer $104,491 of the fees received by the DUSD machine to the affected users. MakinaFi’s three Dialectic-operated machines were sent to recovery mode after the exploit. The recovery period is expected to end on January 26, 2026.
