Nexo

Start Earning Up to 16% Interest Automatically

Learn More
Home » Analysis » DeFi Project Akropolis Just Lost $2 Million. Here’s What They’re Doing About It.

DeFi Project Akropolis Just Lost $2 Million. Here's What They're Doing About It.

by
,

The Akropolis DeFi platform is the latest to suffer a major security breach, hacked for $2 million on Nov. 12.

Leading DeFi Chefs Rescue Dying Insurance Protocol With $25,000 Grant

Key Takeaways

  • Akropolis lost $2 million in breach despite independent audit.
  • The funds were stolen from liquidity pools connected to the project.
  • User funds and staking pools were not affected.

Share this article

According to reports within the crypto community, Akropolis, an Ethereum-based DeFi lending platform, was attacked this week. 

The attacker managed to execute a $50,000 exploit 40 times, netting $2 million of DAI in total.

Akropolis confirmed the attack on Twitter:

The funds were not stolen from users. Rather, the stolen funds were drained from Akropolis’ Curve pools, which supply the project with liquidity.

Technology Lead Alex Maz stated on Discord that the attack affected Akropolis’ “Curve Y and Curve sUSD pools only.”

Akropolis Hacked Despite Security Audits

Before the attack, Akropolis underwent two security audits performed by CertiK, auditor of the recently hacked Axion project, and another unknown security group. CertiK has stated that the Axion incident was an inside job.

Speaking to CryptoBriefing about the Akropolis hack, CertiK COO Daryl Hok said:

“I think the main takeaway here is that: security audits are never meant to guarantee that a project is infallible; rather they are utilized to guarantee that the security of a given codebase is of a high standard.”

Akropolis founder and CEO Ana Androva said that despite being audited twice, “two attack vectors have unfortunately been missed.” The crypto community has speculated that the exploit might resemble the attack performed against Harvest in late October because each attack involved the respective project’s Curve Y pools.

However, Androva says that the attacks are not connected. Akropolis released a post-mortem of the hack on Nov. 13, citing two bugs in the code:

  1. No check that tokens deposited are actually the ones registered in our contracts.
  2. Re-entrance issue with “transferFrom” function, which an attacker could exploit because of the first bug.

The hacker allegedly created a flash loan to borrow funds with a fake token in the hacker’s own smart contract. As the funds were being transferred, the hacker executed another deposit using $800,000 worth of real DAI borrowed from dYdX. 

The fake token loan raised the balance of the liquidity pool. When the real loan was initiated, Akropolis minted the same tokens twice, allowing the hacker to withdraw double the intended amount.

Akropolis is now monitoring incoming tokens and adding a Reentrancy Guard feature to prevent the same exploit from happening again.

Share this article

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

Crypto Briefing may augment articles with AI-generated content created by Crypto Briefing’s own proprietary AI platform. We use AI as a tool to deliver fast, valuable and actionable information without losing the insight - and oversight - of experienced crypto natives. All AI augmented content is carefully reviewed, including for factural accuracy, by our editors and writers, and always draws from multiple primary and secondary sources when available to create our stories and articles.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.