Curve's LlamaLend Hit by Oracle Attack. $240K Gone. 27 Users Liquidated.
Image: Curve's LlamaLend Hit by Oracle Attack. $240K Gone. 27 Users
A bad oracle config on the sDOLA-crvUSD LlamaLend pool handed an attacker $30M in flash loans and a clean $240K profit. Curve says the core is fine. Users say their collateral isn't.
It happened again. Another DeFi pool, another oracle set up wrong, another attacker who noticed before anyone else did.
This time it was Curve Finance's LlamaLend market, specifically the sDOLA-crvUSD pool. Blockchain security firm BlockSec Phalcon flagged a suspicious transaction on Ethereum earlier today. By the time teams were alerted, the attacker had already walked away with roughly $240,000 in profit and left 27 users liquidated on the floor.
How the Attack Worked
The mechanics were tight. The attacker borrowed approximately $30 million in flash loans and used them to manipulate the sDOLA price feed within the pool. By redeeming sDOLA and then re-staking it as a donation, they temporarily distorted the pricing mechanism the pool used to value collateral.
That distortion was enough. Positions that were previously healthy crossed their liquidation thresholds. The attacker liquidated them, pocketed the margin, repaid the flash loan, and exited. Lenders in the pool were not harmed. sDOLA holders actually saw gains during the distortion. The only people who got hurt were borrowers using sDOLA as collateral - 27 of them.
"The actual victim was the sDOLA-crvUSD Curve LlamaLend pool. The root cause was an improper oracle configuration by the pool creator." - BlockSec Phalcon, March 2, 2026
Inverse Finance Says: Not Our Problem
Inverse Finance, which issues DOLA, moved fast to distance itself. Founder Nour Haridy posted on X within hours: "Inverse Finance was NOT affected. It's simply an incident in an external protocol that uses DOLA token."
Technically correct. The exploit was in the pool's oracle configuration - not in DOLA itself, not in Inverse's FiRM protocol, not in Curve's core contracts. The pool creator plugged in an oracle that could be manipulated. That's on the pool creator.
But here's what that framing obscures: DOLA is a three-time target ecosystem. April 2022, Inverse's Frontier protocol lost $15.6M to oracle manipulation. June 2022, another $5.8M via Chainlink price manipulation and flash loans. Today, $240K through a downstream pool running DOLA's staked variant.
Protocols don't have to get hacked directly to get a reputation for getting hacked.
CRV Feels It
CRV was already struggling. Down 20% over the past month. Derivatives volume down 12% to $127 million. Open interest slipped another 1.7% to $67.8 million as leveraged players reduced exposure rather than adding to it.
The LlamaLend incident dropped CRV another 3.5% on the day. It's holding above $0.22 support - barely. A daily close below that level opens the door to $0.20, a psychological line the bulls really don't want to test right now.
Curve confirmed it's investigating. The core protocol was not compromised. That's the right message to send. Whether the market cares about the distinction is a different question.
The Actual Risk Is Bigger Than $240K
The dollar loss is small by DeFi exploit standards. The signal is not. This attack cost roughly nothing to execute relative to the payout. Flash loans are free capital. Oracle bugs are abundant. The exploit design - borrow, distort, liquidate, exit - is well-documented and reproducible across any pool with loose oracle assumptions.
CertiK confirmed the technical read: flash loans circa $30M, sDOLA balance manipulation, 27 liquidations, $240K profit. Clean execution. Whoever did this knew exactly which lever to pull.
The DeFi oracle problem has had solutions for years. On-chain TWAPs, Chainlink integration, multi-source aggregation, manipulation-resistant circuit breakers. Protocols that skip these steps in favor of speed-to-launch keep paying for it - or more precisely, their users do.
Today it was 27 people and $240K. The template is sitting on GitHub. Next time the pool will be bigger.