# $4.2 million vanished overnight! DUSD suffers targeted "bombing" by flash loan.
DUSD
$0.99934
0%
9 KOL Opinions
loading indicator
Loading..
Deep Dives
76
16
Comments
Deep Dives
Powered by Asksurf.ai

DUSD Flash Loan Attack Incident Analysis Report

TL;DR

In the early morning of January 20, 2026, Makina Finance's DUSD/USDC Curve pool suffered a flash loan attack. The attacker manipulated prices via oracle to steal approximately $4.2 million. The attacker used a 280 million USDC flash loan to manipulate the price of multiple Curve pools, triggering a permissionless AUM update function, ultimately withdrawing 1,299 ETH (approximately $4.13 million). The MEV bot captured all the profits, and DUSD briefly de-pegged to $0.078. Makina Finance has activated its security mode and advised LPs to withdraw liquidity; the underlying assets were unaffected.

Core Analysis

Event Timeline

Time (UTC) event Details
2026-01-20 03:40:35 Attack Execution Block 24,273,362, Gas consumption 16,774,866
2026-01-20 03:40+ MEV front-end operation Address 0xa6c2... captured 1,299 ETH ($4.13 million)
January 20, 2026, morning Security Alert PeckShieldAlert and CertiKAlert release attack details
2026-01-20 06:42 Official statement Makina Finance confirms the incident and initiates safe mode.
2026-01-20 (Daytime) DUSD de-anchoring The price fell to a record low of $0.078 before partially recovering to $0.98.
2026-01-20 All Day LP withdrawal A large amount of liquidity was removed, and the pool's TVL dropped significantly.

Attack Mechanism Explained

Core vulnerability : MachineShareOracle's permissionless updateTotalAum() function allows anyone to update the AUM/share price based on the current pool balance without any time delay or price verification mechanism.

Attack steps :

  1. Flash loan Loan : Borrowed a total of 280 million USDC from Balancer and Uniswap V3.

    • Balancer: 160,590,920 USDC
    • Uniswap V3: 119,409,080 USDC

  2. Price manipulation stage :

    • Large transactions were executed across multiple Curve pools using approximately 170 million USDC.
    • Target pools: MIM/3Crv pool, 3Crv pool, DUSD/USDC pool
    • The amount involved in the manipulation: 650M+ 3Crv, 52M+ MIM

  3. Oracle exploitation :

    • Call MachineShareOracle.updateTotalAum() to refresh AUM
    • Execution is proxied via 0x6b00_BeaconProxy and 0xd1a1_BeaconProxy.
    • The inflated share price was calculated based on the manipulated pool balance.

  4. Funds withdrawal :

    • Round 1: 110 million USDC were invested, minting 99,206,722 DUSDUSDC LP tokens, and 9,215,229 DUSD were withdrawn.
    • Round Two: Repeat the process, minting 125M DUSDUSDC LP, and withdrawing another 9.2M DUSD.
    • The withdrawn DUSD will be exchanged for 112.8 million USDC (at the inflated price).

  5. Profit conversion :

    • Exchange 4.24 million USDC for 1,299 WETH on Uniswap V3.
    • Unpacking yielded 1,299 ETH.

  6. MEV snatched the deal :

    • The MEV robot (0xa6c2...) was running in the lead-in stage, capturing all 1,299 ETH.
    • The attacker's expected profits were completely intercepted.

Key addresses involved

type address illustrate
DUSD token 0x5bc25f649fc4e26069ddf4cf4010f9f706c23831 DefiDollar (DUSD) ERC-20 Contract
Attack Pool 0x32e616f4f17d43f9a5cd9be0e294727187064cb3 DUSD/USDC Curve StableSwap Pool
Attacking transactions 0x569733b8016ef9418f0b6bde8c14224d9e759e79301499908ecbcd956a0651f5 Major vulnerability exploitation transactions
attacker address 0x935bfb495e33f74d2e9735df1da66ace442ede48 Address of the attack
MEV Robot 0xa6c248384c5ddd934b83d0926d2e2a1ddf008387 Block builder capturing profits
Fund Flow 1 0xbed2558a6275712a6fcad7c787234c6d64d5de25 Approximately $3.3 million in ETH
Fund Flow 2 0x573d1e2f6bd96bc902a95e27d24bfb90522c910e Approximately $880,000 in ETH (276 ETH)

Fund Flow Analysis

Key transfers in the transaction (54 ERC-20 transfer events in total):

Tokens direction quantity use
USDC borrow 280 million Flash Loan Principal
USDC Injection pool 220 million+ Price manipulation and extraction
DUSDUSDC LP Casting 224 million Casting with inflated prices
DUSD extract 18.4 million Excessive extraction from the pool
3Crv manipulate 650 million+ Cross-pool price manipulation
MIM manipulate 52 million+ Auxiliary Price Distortion
USDC Exchange 112.8 million Exchanged for at an inflated price
WETH final 1,299 Profit conversion
ETH Stolen 1,299 MEV robot capture

Net loss : Approximately 5.1 million USDC equivalent was withdrawn from the pool. After deducting fees and slippage, the attacker expected a net profit of approximately 4.1 million USD, but it was completely intercepted by the MEV bot.

Subsequent fund movement : As of January 20, 2026 UTC, the stolen funds have been distributed to two wallets. No coin mixing, cross-chain or exchange deposits have been observed, and the funds can still be tracked on-chain.

Impact Assessment

Impact of DUSD token :

  • Price volatility : The price plummeted to a record low of $0.078 (-92%) during the session, before partially recovering to $0.98.
  • 24-hour trading volume : surged to $39.7 million
  • Coin holding distribution : The top 10 addresses hold approximately 98% of the coins, and the top holders (74.59%) have not significantly sold off their holdings.
  • Total supply : 903,132.63 DUSD remains stable.

Curve pool impact :

  • TVL drain : The DUSD balance in the pool has reached zero, and approximately $5 million of the pre-attack TVL has been completely drained.
  • LP Behavior : Dozens of remove_liquidity transactions following the attack; LP urgently withdrew its investment as advised.
  • Liquidity depletion : 80%+ of pool liquidity was withdrawn within the day.

Impact at the agreement level :

  • The remaining portion of Makina Finance's approximately $100 million TVL was unaffected.
  • Event isolation in DUSD Curve LP positions ensures the safety of underlying assets.
  • This exposes the systemic risks of relying on a single oracle source and permissionless AUM updates.

Official response

Makina Finance Statement (2026-01-20 06:42 UTC):

  • The confirmation event only affects DUSD Curve LP positions.
  • The underlying assets are safe.
  • Safe mode has been enabled for all "Machines" (protocol components).
  • It is recommended that affected LPs withdraw their liquidity immediately.
  • Commitment to continuous updates and transparency

Recovery Operation :

  • Send on-chain messages to MEV address holders, offering a 10% bounty in exchange for a refund.
  • As of the latest report (January 20, 2026), no funds have been recovered.
  • The investigation is still ongoing.

Community and safety expert response

Security agency analysis :

  • PeckShield and CertiK quickly issued warnings detailing the flash loan mechanism and oracle vulnerabilities.
  • BlockSec/Phalcon releases step-by-step technical analysis, visualized via PhalconExplorer.
  • Experts point out that the lack of the SafeMath library and real-time validation are key shortcomings.

Social media sentiment :

  • Discussion was relatively limited (on the day the incident occurred), with the official announcement receiving the main attention.
  • User @CryptoPatel provides a detailed analysis of the attack mechanism and calls for the revocation of contract authorization. x.com
  • Overall sentiment is cautious, with a focus on immediate risk mitigation rather than widespread controversy.

Industry trend discussion :

  • This again highlights the ongoing risks of DeFi oracle manipulation and the pre-running of MEVs.
  • This has sparked calls for multi-layered protection mechanisms for stablecoin pools and enhanced auditing.
  • This is associated with other vulnerability incidents in 2026, creating a systemic threat.

in conclusion

This DUSD flash loan attack is a textbook example of oracle manipulation, fully exposing the vulnerability of DeFi protocols that rely on permissionless, instant-update mechanisms to sophisticated attacks. While the attackers' meticulously designed multi-pool price manipulation technically succeeded in extracting approximately $4.1 million, it was ultimately intercepted by the MEV bot, resulting in an ironic "mantis stalks the cicada, unaware of the oriole behind" scenario.

The incident caused direct losses to DUSD holders and Curve LPs, but Makina Finance's rapid response and asset segregation prevented a wider ripple effect. This incident once again demonstrates the multidimensional challenges of DeFi security: it requires not only preventing contract vulnerabilities but also dealing with complex threats such as oracle manipulation, flash loan attacks, and MEV withdrawals. For the entire industry, this is a costly wake-up call, highlighting the necessity of protective mechanisms such as time-delay oracles, multi-source price verification, and access control.

Ask Surf More