On January 20, Makina Finance suffered an exploit that removed about 1,299 ETH, roughly $4.1 million, from its DUSD/USDC Curve pool. According to CertiKAlert, the attacker used a $280 million USDC flash loan, manipulated the MachineShareOracle, and swapped $110 million USDC to extract nearly $5 million.
A MEV bot then front-ran the activity and executed rapid trades that enabled the drain. According to PeckShieldAlert, the stolen funds were moved to two addresses holding about $3.3 million and $880,000.
Makina Finance activated security mode across its machines and told liquidity providers to withdraw their DUSD Curve positions. The team also said the problem is limited to DUSD Curve positions and that underlying machine assets remain safe, stating “Gmak, early this morning we received reports regarding an incident with the $DUSD Curve pool.”
Reports indicate the attacker was initially funded via Tornado Cash on Ethereum, then bridged to Base using GasZip and acquired about 144,000 SYP tokens, reports show. SynapLogic later confirmed its systems are operating normally and that user funds remain safe.
The incident follows a recent breach at the Truebit Protocol, which lost about $26.5 million in ETH after a pricing logic flaw. Post-mortems by SlowMist and Certik have published analysis, warning that outdated Solidity versions pose systemic risks (Ed. note: such outdated code can cause critical logic vulnerabilities).
