Cryptocurrency borrowing and lending service Akropolis has suffered a security incident, which resulted in theft of roughly $2 million worth of Dai cryptocurrency.
According to the company’s press release, the attack took place on November 12, 2020, in response to the intrusion Akropolis immediately halted all operations to prevent further losses. The investigation into the incident revealed that the platform was hit with a “flash loan” attack, an attack where malicious actors loan funds fr om a DeFi platform but then use vulnerabilities in the platform code to circumvent the loan mechanism and steal the funds.
Akropolis said that the hack was executed across a body of smart contracts in its “savings pools”.
“At ~14:36 GMT we noticed a discrepancy in the APYs of our stablecoin pools and identified that ~2.0mn DAI had been drained out of the Ycurve and sUSD pools […] These pools had been audited by two independent firms, however, the attack vectors used in the exploit were not identified in either audit. The essence of the exploit in question is a combination of a re-entrancy attack with dYdX flash loan origination,” the company explained.
Akropolis said it has already identified the attacker’s Ethereum wallet, wh ere stolen funds are currently stored. Akropolis said it notified cryptocurrency exchanges about the attack and is now reviewing the code and security procedures.