Makina MachineShareOracle Drain

On January 20, 2026, the on-chain yield and asset-management protocol Makina lost approximately $4.13 million when an attacker manipulated the MachineShareOracle that reported share prices to the Dialectic USD (DUSD) / USDC Curve stableswap pool. The attacker used $280 million in flash loans with $170 million deployed specifically to move the oracle reading. After SafeHarbor-policy white-hat negotiation, 89% of affected users had funds fully recovered within a week.

What happened

Makina ran "Machines" — automated yield-management vaults that integrated with external DeFi protocols (Curve, Aave, others) to deploy user capital. Each Machine's share price was computed via a MachineShareOracle that reported assets-under-management to the Curve pool where users provided liquidity.

The fatal flaw: the MachineShareOracle's AUM calculation read pool state from external Curve integrations without validation. By manipulating the external pool's state, an attacker could push the oracle's reported price to incorrect values — which then affected how Makina's Curve pool valued user deposits and withdrawals.

The attack:

1. Took a $280M USDC flash loan.
2. Deployed approximately $170M into the Curve pools that the MachineShareOracle read from, distorting the pool state to artificially inflate the AUM Makina would report.
3. The MachineShareOracle reported the inflated AUM, pushing the DUSD/USDC Curve pool's share price upward.
4. Deposited and immediately withdrew Makina positions at the inflated share price, extracting more than they put in.
5. Repaid the flash loan and walked with approximately $4.13M profit.

Aftermath

• The Makina team activated "security mode" across all Machines, pausing operations to prevent further losses.
• Advised LPs to single-side withdraw to DUSD from the affected pool while remediation was underway.
• The team took on-chain snapshots pre-exploit for compensation calculations.
• Coordinated with SEAL911, ChainSecurity, EnigmaDarkLabs, and Cantina for incident review.
• Offered the attacker a 10% bounty (up to 102.3 ETH) via the SafeHarbor WhiteHat policy.
• The attacker accepted the offer: $3.65M+ was recovered and 89% of users were fully made whole within a week.
• The protocol resumed full normal operations on January 26, 2026 — only six days after the exploit.

Why it matters

The Makina incident is one of the cleaner 2026 cases for how a well-architected incident-response process can convert a meaningful exploit into a contained operational event. The SafeHarbor WhiteHat policy that Makina had pre-committed to — including the bounty structure and the legal-protection terms — provided the attacker a credible path to white-hat resolution, which they took.

The structural lessons:

1. SafeHarbor-style policies are increasingly worth pre-committing to rather than negotiating in the middle of an incident. The attacker's choice between "launder $4M with prosecution risk" and "accept $400K bounty with prosecution protection" is meaningfully shifted by the policy being clearly documented and ready to execute rather than improvised.

2. Oracle integrations with external pools must validate against manipulation — the Makina MachineShareOracle's failure mode was reading pool state without considering that the pool was external and manipulable. Modern defensive patterns include reading from multiple pools, applying time-weighted aggregation, and capping per-block oracle movement.

3. The 6-day "exploit-to-full-recovery" timeline is one of the fastest documented for a $4M+ DeFi incident. The combination of clear pre-built process, working white-hat path, and engaged incident-response partners (SEAL911 et al.) made this possible. Protocols that don't pre-stage these capabilities take weeks or months for similar outcomes.

Makina joins the growing 2025-2026 category of "medium-scale exploit, fast recovery via negotiated white-hat" — a pattern that's becoming the dominant settlement path for incidents in the $1M-$20M range.