A new blow has hit the DeFi world. Makina Finance, a protocol labeling itself as an ‘institutional’ execution engine, has suffered an estimated $5 million hack, according to analyses. The sophisticated and swift attack targeted a stablecoin pool and relied on a massive USDC flash loan.
Flash Loan of $280 Million as Main Weapon
According to on-chain data, the attacker took out a $280 million USDC flash loan to manipulate the protocol’s internal mechanisms. Out of this amount, around 170 million was used to manipulate the price oracle that the DUSD/USDC stablecoin pool on Curve depends on. Once the prices were artificially altered, the attacker exchanged nearly 110 million USDC for a pool worth only about $5 million, draining almost all available liquidity.
This kind of scenario is a familiar concept in DeFi: relatively shallow pools, combined with price-sensitive oracles, become vulnerable to artificially injected volumes through flash loans.
Diverging Estimates, but Real Impact
Not all security firms agree on the exact amount of losses. GoPlus Security mentions a $5.1 million loss, while PeckShield estimates the attack at just over $4 million in Ether. CertiK, on the other hand, highlights an additional aspect: a significant portion of the funds was captured by an MEV builder, intercepting around $4.1 million in the aftermath of the attack.
As a result, the funds are now split between two addresses, one controlled by the initial attacker and the other linked to the MEV infrastructure. This configuration complicates any immediate recovery efforts but could prove beneficial in the long run.
A still hesitant communication
Currently, Makina Finance has not officially confirmed the exploit on its main public channels. In an initial Discord message, the team stated they were ‘aware of reports mentioning a potential incident’ and conducting verifications. A second message, posted approximately two hours later and shared on X, specifies that the issue seems limited to DUSD liquidity positions on Curve and advises liquidity providers to withdraw their funds.
Notably, no explicit mention of losses has been made, fueling uncertainty among users and investors.
A brutal reminder of persistent risks in DeFi
Makina Finance claims over $100 million in total locked value and positions itself on products meant to meet institutional standards. The attack highlights a common mismatch between this narrative and the technical reality of protocols, where a vulnerability in an oracle or pricing logic can lead to significant losses.
This incident adds to an already heavy year for the ecosystem. In 2025, cryptocurrency-related thefts surpassed $3.4 billion, underscoring that despite progress in audits and security, DeFi remains a high-risk experimentation ground.
For Makina Finance, the focus now is twofold: clarifying the actual extent of losses and restoring trust. In a market already under pressure, every hour of silence matters.
