Hacker drains $2 million from Akropolis DeFi protocol

An unknown attacker drained the Akropolis project’s YCURVE and sUSD liquidity pools in DAI stablecoins to $2 million. He hacked smart contracts that had undergone two audits.

We recently identified a hack executed across a body of smart contracts in the «savings pools» that have been audited twice. We are working with security specialists and on-chain analytics providers and aim to make a more detailed statement shortly. Thank you for your patience.

— Akropolis (@akropolisio) November 12, 2020

According to analyst Steven Zheng, the hacker withdrew assets in 50,000 DAI batches over about seven hours until the pools ran dry.

Here’s the exploiter’s address. Looks like they were executing batches of $50k attacks around 7 hours ago.https://t.co/PZIp8g82Ay

— Steven (@Dogetoshi) November 12, 2020

Subsequently, the attacker transferred the funds to a new address.

And then they sent $2M in gains in this transaction to a different address where it now sits.https://t.co/Jehjx4vEGf

— Steven (@Dogetoshi) November 12, 2020

The DeFi project Akropolis allows users to borrow funds and generate yield on cryptocurrency deposits.

According to the project’s statement, the pools underwent audits by two independent auditing firms. They did not find a vulnerability in the savings portion of the service, which uses the Curve protocol. The hacker carried out a series of attacks using flash loans. Such loans are repaid within a single block, allowing the use of no collateral.

The project team has begun implementing a suite of security measures. All stablecoin pools have been suspended, exchanges have been notified. External security specialists, together with the developers, are studying the issue.

Funds in Compound DAI, Compound USDC, AAVE sUSD, AAVE bUSD, Curve bUSD and Curve sBTC, as well as in the native tokens AKRO and ADEL, were not affected and remain safe.

The project is studying ways to compensate users for losses and will present its proposal in the near future.

In response to the breach, the price of Akropolis (AKRO) briefly fell by 23%. The price decline over the last 24 hours was 18.9%.

Hourly AKRO/USD chart from CoinGecko.

The incident, on the whole, did not affect the decentralized finance sector. According to DeFi Pulse, the total value locked in protocols hit a new record of $13.74 billion.

Earlier in October, the hacker withdrew $19.8 million from Harvest Finance via manipulating stablecoin prices on the Curve DeFi protocol.

Subscribe to ForkLog news on Facebook!