Saddle Finance's saddleUSD-V2 metapool was exploited via a flash loan attack targeting a faulty swap calculation bug.
The attacker exploited an old vulnerability in Saddle Finance's virtual price calculation, which had been patched in newer pools but not in the legacy saddleUSD-V2 metapool. Using a flash loan, the attacker manipulated the metapool's virtual price by adding liquidity in a way that allowed them to withdraw far more than deposited, extracting approximately $11M worth of stablecoin LP tokens.
Stolen stablecoin assets converted to ETH and deposited into Tornado Cash. White hat BlockSec front-ran part of the attack and recovered approximately $3.8M, which was returned to Saddle Finance. Net loss was approximately $7.2M after recovery. Saddle Finance published a post-mortem and compensated remaining losses from treasury.