November 13, 2020
By Sam Grant
Decentralised Finance project Akropolis is the latest victim of a flash loan attack
The hackers exploited the savings pools at Akropolis and stole more than $2 million in DAI.
“At ~14:36 GMT we noticed a discrepancy in the APYs of our stablecoin pools and identified that ~2.0mn DAI had been drained out of the yCurve and sUSD pools,” Akropolis reported in a statement
It is reported that the contract address 0xe2307837524Db8961C4541f943598654240bd62f, carried out a series of dYdX flash loan attacks on the sUSD and YCurve pools.
“The essence of the exploit in question is a combination of a re-entrancy attack with dYdX flash loan origination.”
The hacker didn’t hold onto the funds after the exploit. The pilfered $2 million DAI was immediately forwarded to a different address.
It appears that the attack caught the platform by surprise. The Gibraltar-based decentralized finance protocol said that the pools had been audited by two firms and the attack vectors used were not identified in both audits.
The Akropolis team has since posted an update saying that a post-mortem analysis is in the pipeline. The team also added that it was looking into ways of reimbursing the affected users in a way that doesn’t end up crippling the protocol.
Akropolis asserted that the majority of the funds on the protocol were safe as Compound USDC, Compound DAI, AAVE bUSD, AAVE sUSD, Curve sBTC, and Curve bUSD were not affected in the exploit. Other intact staking pools were ADEL and Native AKRO.
The DeFi protocol has paused all stablecoin pools and notified exchanges of the exploit. Discussions between Akropolis and security experts are also underway as the platform reviews its security system for the expected evaluation.
Akropolis founder Ana Andrianova has refuted the claims going around on social media that the exploit was carried out in the same way as the one on Harvest Finance last month. Harvest Finance suffered a loss of $34 million in USDC and USDT stablecoin reserves in another flash loan exploit. Another similar incident is that of bZx margin-trading platform that lost $350,000 early this year.