Decentralized finance (defi) protocol Akropolis was on Thursday hacked for $2 million in DAI, in the latest flash loan attack to hit the nascent defi industry.
The attacker pilfered the platform’s Ycurve pool in batches of $50,000 in the stablecoin DAI. This particular pool allows investors to trade stablecoins and earn interest.
In a statement on Nov. 12, Akropolis revealed that the hack was executed across a body of smart contracts in its “savings pools”.
“At ~14:36 GMT we noticed a discrepancy in the APYs of our stablecoin pools and identified that ~2.0mn DAI had been drained out of the Ycurve and sUSD pools,” it said.
The pools are said to have been audited by two firms, but the hacker still found loopholes to exploit, wiring his loot to this address. Akropolis explained:
The attack vectors used in the exploit were not identified in either audit. The essence of the exploit in question is a combination of a re-entrancy attack with Dydx flash loan origination.
Others pools were not affected. These include compound DAI, compound USDC, AAVE sUSD, AAVE bUSD, curve bUSD, curve sBTC, it stated. Native AKRO and ADEL staking pools were also left untouched.
Akropolis is a defi lending and savings protocol. Users can take out loans, and they can also earn interest on crypto deposits.
The Akropolis team said it is looking at ways to reimburse affected users “in a way that is sustainable for the project”. All stablecoin pools have been halted for now, it added.
In October, another defi project Harvest Finance was hacked for $24 million. The attacker targeted the protocol’s liquidity pools, performing an arbitrage attack using a large flash loan – a type of uncollatarized loan.
<Source: Bitcoin News>