Source: Yellow Original Title: Ethereum DeFi Platform Loses $4.1 Million in Flash Loan Attack

Original Link: https://yellow.com/es/news/plataforma-defi-de-ethereum-pierde-41-millones-de-dd-in-attack

Ethereum DeFi Platform Loses $4.1 Million in Flash Loan Attack

The DeFi platform Makina Finance lost 1,299 ETH worth approximately $4.1 million on January 20 after attackers manipulated the price oracles in its DUSD-USDC liquidity pool hosted on Curve Finance.

An MEV builder front-run the attack and captured most of the stolen funds, complicating recovery efforts for the yield management protocol launched in February 2025.

The blockchain security firm PeckShield first detected the exploit at 03:40:35 UTC, with the attacker converting the stolen tokens into ETH through two wallets currently holding the assets.

What happened

The attacker took a flash loan of 280 million USDC, using 170 million to manipulate the MachineShareOracle that determines prices for the Dialectic USD and Dialectic USDC stablecoin pools.

After artificially inflating the pool prices, the attacker traded 110 million USDC against the manipulated pool to drain 1,299 ETH before repaying the flash loan.

PeckShield confirmed that the attack exploited a price manipulation vulnerability, with the attacker adding liquidity immediately before inflating prices and then withdrawing with profits.

However, an MEV builder address starting with 0xa6c2 front-ran the transaction that drained the pool, capturing approximately $4.14 million of the stolen funds.

Current status

The stolen ETH is currently in two Ethereum addresses: wallet 0xbed2…dE25 with $3.3 million and wallet 0x573d…910e with $880,000.

Makina activated security mode across all its smart vaults and advised liquidity providers in the DUSD pool on Curve to withdraw remaining funds.

The platform confirmed that the exploit only affected DUSD liquidity provider positions on Curve, with other assets and deployments remaining unaffected.

Security firms such as PeckShield, ExVul, and TenArmor urged users to revoke smart contract permissions and avoid interacting with Makina contracts until the investigation is complete.

DeFi security context

Flash loan exploits remain common despite increased security. The decentralized exchange Bunni lost $8.4 million in October 2025, and Shibarium suffered a $2.4 million attack in September.

However, data from Chainalysis shows that DeFi hack losses remained contained throughout 2025, even as total value locked reached $119 billion, marking a break from historical patterns where capital inflows correlated with increased attacks.

Total cryptocurrency thefts reached $3.4 billion in 2025, but the focus of attacks shifted toward centralized exchanges and personal wallets rather than DeFi protocols.