Akropolis, a decentralized finance (DeFi) protocol, has become the latest in the blockchain industry to become the target of hackers, resulting in the theft of over $2 million in DAI stablecoin.
The platform officially notified about the attack on late Thursday, providing some initial updates on the tactics used by the attacker. It is now reviewing the code and security procedure and will publish a post-mortem report.
The Rise of DeFi Is Luring Hackers
Akropolis offers DeFi lending services along with savings services that allow users to take out loans in digital currencies and generate interest on their collateral deposits. This type of platform became very popular with the recent hype of the DeFi ecosystem as users were flocking towards them for the so-called yield farming.
The attacker exploited the savings side of the protocol that utilizes another DeFi protocol, Curve.
“At ~14:36 GMT we noticed a discrepancy in the APYs of our stablecoin pools and identified that ~2.0mn DAI had been drained out of the yCurve and sUSD pools,” Akropolis stated in the announcement.
The Akropolis attacker used a combination of re-entrancy attacks and dYdX flash loan origination to exploit the protocol’s savings pool.
Legal Risk Factor Beneath Ripple’s Lawsuit from SECGo to article >>
Though many unaudited DeFi projects have recently become the target of hackers, Akropolis pointed out that its protocol was audited by two independent firms, CertiK, and SmartDec and Pessimistic. However, both companies missed two “attack vectors” in their audit, Akropolis founder and CEO, Ana Andrianova tweeted.
Not quite, we will publish a detailed retro shortly. Two attack vectors have unfortunately been missed despite two audits. I will link a post-mortem and next steps here.
— Ana A. (@ana_andrianova) November 12, 2020
Apart from DAI, the protocol also holds Compound DAI, Compound USDC, AAVE sUSD, AAVE bUSD, Curve bUSD, Curve sBTC, and has two native pools of AKRO and ADEL. All of them are unaffected by the attack.
“We are exploring ways to reimburse users for the loss in a way that is sustainable for the project, and will make a proposal to the community prior to any final decision being made,” the announcement added.