Thursday, January 22, 2026

Six audits. One hundred million in TVL. Zero protection against the attack vector explicitly listed as out of scope.

Makina Finance bled $4.13 million on January 20th through an oracle manipulation so textbook it could've been ripped from the Cantina CTF exclusion list.

"Losses caused by oracle price/liquidity pool manipulation, where an unchecked synchronous deposit is used."

That exact phrase sat in Cantina’s audit scope document while Dialectic, Makina's first Operator, deployed DUSD tokens into Curve pools with a share price mechanism that trusted spot prices like a tourist trusts a three-card monte dealer.

Flash loan goes in, manipulated price gets locked, profit walks out - $280 million borrowed, pools drained, one atomic transaction, no TWAP, no delay, no second chance.

MEV bots front-ran the original attacker and grabbed most of the haul, splitting $4.13 million across two addresses while Makina sent polite on-chain messages offering a 10% bounty for funds that were already being laundered.

ChainSecurity, OtterSec, SigmaPrime, Enigma Dark, Cantina - every firm signed off on "high level of security" while the protocol marketed itself as infrastructure where "every new protocol integration no longer requires new code, new audits, nor does it introduce new attack vectors."

Turns out the attack vector was flexibility itself.

When auditors write the exploit in the out-of-scope section and nobody reads the fine print, who exactly failed the security review?

Read more »

We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous. 
We are all rekt.