Makina Finance: Permissionless share price oracle update (updateTotalAum) + flash loan Curve pool manipulation → share price inflation → LP drain
Makina Finance is a modular DeFi execution engine with a "Machine" architecture. Dialectic, Makina's first Operator, deployed DUSD tokens into a DUSD/USDC Curve StableSwap pool. The share price oracle () relied on an function that was permissionless and pulled spot prices from Curve's — a function that reflects current pool balances with no time delay, no TWAP, and no access control.
Summary #
Makina Finance suffered a Yield Aggregator / DeFi Execution Engine on 2026-01-20, resulting in a loss of approximately $4M.
What happened #
Makina Finance is a modular DeFi execution engine with a "Machine" architecture. Dialectic, Makina's first Operator, deployed DUSD tokens into a DUSD/USDC Curve StableSwap pool. The share price oracle () relied on an function that was permissionless and pulled spot prices from Curve's — a function that reflects current pool balances with no time delay, no TWAP, and no access control.
Linked factors #
- RD-F-001 — causal : ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — the Dialectic Curve pool integration was deployed in late October 2025, after all audits completed; oracle manipulation explicitly list...] || ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
- RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Y — Dialectic's DUSD/USDC Curve pool integration deployed post-audit in late October 2025; exploit occurred 6 weeks after deployment] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None pre-exploit (10% offered post-hack)]
- RD-F-013 — causal : Arbitrary call with user-controlled args [via cross-hack: Factor 14: Public Permissionless Functions That Can Re-Trigger Vulnerable State]
- RD-F-014 — related : Reentrancy guard absence [via cross-hack: Factor 14: Public Permissionless Functions That Can Re-Trigger Vulnerable State]
- RD-F-050 — causal : Dependency graph [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
- RD-F-052 — related : Breakage analysis [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
- RD-F-053 — causal : ★ Oracle source = spot DEX pool (no TWAP, no fallback) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering]
- RD-F-055 — related : Underlying oracle pool depth (USD) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering]
- RD-F-056 — related : Single-pool oracle (no medianization) [via cross-hack: Factor 16: Single-Source VWAP / Thin-Liquidity Oracle Without Flash Swap Filtering]
- RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly (Y/N): Y — extreme share price spike during flash loan manipulation would be detectable via oracle monitoring]
- RD-F-141 — related : Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
- RD-F-146 — related : New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]