A "directional blasting" flash loan attack exposes structural cracks in stablecoin liquidity

Event Review

In the early hours of January 20, 2026, a highly precise flash loan attack drained approximately $4.2 million from the DUSD/USDC liquidity pool on Curve, becoming one of the most technically targeted stablecoin attacks at the beginning of 2026. This attack did not touch the core minting or redemption mechanisms of DUSD but focused on a single liquidity venue, clearly revealing how systemic risks can be rapidly amplified in localized areas when oracle dependence, liquidity assumptions, and DeFi composability overlap.

DUSD is a stablecoin issued by the multi-chain DeFi execution engine Makina Finance. According to information disclosed afterward, the attacker borrowed approximately $280 million in USDC through a flash loan, manipulated the price inputs related to the pool in a very short time, inflated the book value of the liquidity position, and completed the arbitrage before the system could recalibrate, ultimately transferring all approximately 1,299 ETH equivalent assets out of the pool.

It is important to emphasize that this incident did not affect the overall supply of DUSD and did not impact users who simply held DUSD, Pendle, or Gearbox positions. Makina promptly clarified this boundary after the incident, but the speed and precision of the attack still indicate that even seemingly well-isolated liquidity pools can become a "single point of failure" under conditions of highly concentrated capital and time-lagged oracle responses.

How the Attack Was Executed

From a technical perspective, this attack followed a pattern that DeFi security researchers have become familiar with in recent years, but it was more restrained and focused in execution. The attacker distorted the price structure of the DUSD/USDC pool using a massive, instantaneous injection of USDC, causing related logic that depended on this price to make erroneous judgments within the same block, thus creating the illusion of "ample liquidity" and setting the stage for risk-free arbitrage.

Since flash loans do not require upfront capital and must be repaid within the same transaction, the attacker bore almost no directional risk; their core tactic relied on price distortion in the time dimension. This type of vulnerability has repeatedly appeared in various DeFi scenarios, especially when liquidity pools depend on single or short-term price signals rather than time-weighted or multi-source aggregated data, making them more susceptible to temporary imbalances.

The final result was not a systemic collapse but a clean extraction. Makina later disclosed that approximately $5.1 million in USDC equivalent assets were lost from the pool, with the losses entirely borne by liquidity providers, while the rest of the protocol continued to operate normally.

Post-Incident Response and Isolation

Makina's response speed reflects a certain degree of maturity in DeFi following multiple security incidents. The team quickly confirmed that the attack was limited to the DUSD/USDC pool on Curve and had already completed a snapshot of liquidity provider balances before the attack occurred, while also initiating a "recovery mode" that allowed affected LPs to redeem DUSD unilaterally to avoid further panic withdrawals.

In an official statement released on January 21, Makina stated that it had obtained clues about the on-chain identity of the attacker and was attempting to contact them, while also promising to re-enable the redemption function after completing security adjustments and providing alternative exit solutions. This approach stands in stark contrast to the information delays and unclear impact ranges that led to chain reactions in earlier DeFi incidents, highlighting how differences between protocols are increasingly reflected in post-incident management capabilities rather than absolute "zero vulnerability" commitments.

Market Signals and Liquidity Memory

One of the insights from the DUSD incident is its strong contrast with previous liquidity narratives. Just a few months earlier, in September 2025, the DUSD/USDT trading pair ranked first in PancakeSwap's TVL leaderboard, with a locked amount of $129 million, a 24-hour trading volume of $82.11 million, and a cumulative trading volume of $439 million over seven days, being regarded as a representative of high activity and strong liquidity in certain trading ecosystems.

This historical context is particularly important as it reveals a recurring DeFi principle: liquidity depth does not equate to safety. When capital is highly concentrated and stablecoin peg relationships are taken for granted, such pools become ideal targets for "targeted demolition," especially when incentive mechanisms and price assumptions have not been continuously stress-tested.

From this perspective, the attack did not directly negate the viability of DUSD as a stablecoin, but it reaffirmed a long-standing fact: the most "stable" venues often become the most cost-effective attack targets when adversaries possess sufficient tools.

Broader Stablecoin Insights

Stepping back from a single incident, the flash loan attack on DUSD reflects the structural challenges faced by on-chain stablecoins during cross-chain and cross-protocol expansions. Composability greatly enhances capital efficiency but also creates a complex web of dependencies, making localized failures potentially have disproportionate impacts on specific user groups.

As regulators, institutional capital, and infrastructure providers gradually view stablecoins as layers for payment and settlement rather than merely trading tools, similar incidents are forcing the market to more clearly distinguish between the robustness of protocol layers and the risks of specific liquidity venues. For users chasing LP yields, this distinction is particularly critical yet often overlooked.

In this incident, DUSD holders themselves were not affected, which may help Makina maintain overall credibility; however, from a longer-term perspective, the next phase of DeFi stability may no longer be determined by TVL figures or surface liquidity but rather by how protocols design, isolate, and reinforce their most vulnerable links, especially where flash liquidity and price discovery collide.

Read the original article