DeFi project Akropolis exploited for over $2 million

Decentralized finance (DeFi) protocol Akropolis lost $2 million in DAI in an exploit on Thursday morning.

According to an update from the Akropolis team, a post-mortem analysis is forthcoming, and the team is exploring ways to reimburse those affected.

Akropolis is a DeFi lending and savings service provider that enables users to take out loans and generate yield on cryptocurrency deposits. The savings portion of the service, which utilizes Curve protocol, was exploited in the attack earlier in the day.

The contract address 0xe2307837524Db8961C4541f943598654240bd62f, which appears to the exploiter, executed a series of dYdX flash loan attacks on Akropolis' YCurve and sUSD savings pools before sending the resulting $2 million DAI to a different address: 0x9f26ae5cd245bfeeb5926d61497550f79d9c6c1c. The funds do not appear to have left that address as of the time of writing.

Flash loans allow users to borrow funds instantly, given they are returned within one transaction block, meaning users can take advantage of uncollateralized loans. In the case of the Akropolis attack, a combination of a re-entrancy attack and dYdX flash loan origination exploited the savings pools. The pools had been audited by two firms, according to Akropolis, but the attack vectors used by the hacker were not identified in either audit.

The majority of the funds on the protocol are safe, according to Akropolis. Compound DAI, Compound USDC, AAVE sUSD, AAVE bUSD, Curve bUSD and Curve sBTC were unaffected. Native AKRO and ADEL staking pools were also untouched. 

In the meantime, all stablecoin pools have been paused and exchanges have been informed of the hack. The Akropolis team is in discussions with security specialists as it reviews its development and security processes for the coming analysis.