Hackers Drain $2 Million in DAI From Defi Protocol Akropolis

Decentralized finance (defi) protocol Akropolis was on Thursday hacked for $2 million in DAI, in the latest flash loan attack to hit the nascent defi industry.

The attacker pilfered the platform’s Ycurve pool in batches of $50,000 in the stablecoin DAI. This particular pool allows investors to trade stablecoins and earn interest.

In a statement on Nov. 12, Akropolis revealed that the hack was executed across a body of smart contracts in its “savings pools”.

“At ~14:36 GMT we noticed a discrepancy in the APYs of our stablecoin pools and identified that ~2.0mn DAI had been drained out of the Ycurve and sUSD pools,” it said.

The pools are said to have been audited by two firms, but the hacker still found loopholes to exploit, wiring his loot to this address. Akropolis explained:

The attack vectors used in the exploit were not identified in either audit. The essence of the exploit in question is a combination of a re-entrancy attack with Dydx flash loan origination.

Others pools were not affected. These include compound DAI, compound USDC, AAVE sUSD, AAVE bUSD, curve bUSD, curve sBTC, it stated. Native AKRO and ADEL staking pools were also left untouched.

Akropolis is a defi lending and savings protocol. Users can take out loans, and they can also earn interest on crypto deposits.

The Akropolis team said it is looking at ways to reimburse affected users “in a way that is sustainable for the project”. All stablecoin pools have been halted for now, it added.

In October, another defi project Harvest Finance was hacked for $24 million. The attacker targeted the protocol’s liquidity pools, performing an arbitrage attack using a large flash loan – a type of uncollatarized loan.

What do you think about the Akropolis hack? Let us know in the comments section below.

Tags in this story

Image Credits: Shutterstock, Pixabay, Wiki Commons

Disclaimer: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, or a recommendation or endorsement of any products, services, or companies. Bitcoin.com does not provide investment, tax, legal, or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article.

Read disclaimer