The hacker was frontrun by MEV Builder (0xa6c2...).
The actor then traded $110 million on the pool, before draining it of over 1,000 ETH.
“Basically, the root cause of the bug is a classic price manipulation issue,” said a spokesperson for PeckShield, speaking to Decrypt.
PeckShield explained that the token price for the DUSD-DUSDC liquidity pool is calculated via the platform’s spot prices, which were manipulated by the flash loan.
The spokesperson added, “The hacker in essence adds liquidity right before the hack, next inflates the price, and after that withdraws the LP with profit.”
PeckShield’s spokesperson says that this “provides a better choice in getting the stolen funds back,” although there has so far been no indication that Makina has identified or reached out to the MEV builder involved.
At this stage, the issue appears to be isolated to DUSD LP positions on Curve. There is currently no indication that other assets or deployments are affected.
Underlying assets held in…
The firm has activated the security mode on all its smart vaults (dubbed ‘Machines’) as it assesses the situation, while advising liquidity providers in the DUSD Curve pool to remove any remaining liquidity.
It will determine next steps, and provide updates as and when they are available.
DeFi and flash loan exploits
