Saturday, November 23, 2024

$2 million stolen in Akropolis DeFi exploit

On Thursday, November 12th, the DeFi platform Akropolis–which allows users to earn interest on deposits as well as borrow–was the victim of an exploit that resulted in roughly $2 million in stolen funds. The attacker, who has not been identified yet, was able to exploit Akropolis by taking out flash loans and making use of a flaw within the Akropolis smart contract.

The attacker was able to make off with roughly $2 million worth of the stablecoin DAI by draining Akropolis’s YCurve and sUSD pools. The stolen funds are currently sitting in a wallet that has already been marked as “the Akropolis hackers wallet” 

How it happened

According to Akropolis’s post-mortem report,

The hacker created a flash-loan to borrow funds then called SavingsModule.deposit() with fake token (his own contract 0xe2307837524db8961c4541f943598654240bd62f) 

During “transferFrom” of this fake token, he executed another deposit with real 800k DAI borrowed from DyDx. 

The balance of the pool was actually increased during the first deposit and as a result, our PoolTokens were minted twice.

 Thus he was able to withdraw almost double the amount.

What’s unique about the Akropolis exploit, is that unlike many of the other DeFi projects in the space, Akropolis claims to have been independently audited twice. Regardless, Akropolis Founder and CEO Ana Andrianova says that the two attack vectors exploited to pull of this attack were missed during the audits.

Shortly after the attack took place, Akropolis, halted trading in all of its stablecoin pools, informed digital currency exchanges of the exploit, and put their development team and security specialists to work to create a patch.

Recommended:  Microsoft Patches ‘Dogwalk’ Zero-Day and 17 Critical Flaws

The DeFi death toll rises 

Several DeFi exploits have taken place in 2020. According to blockchain analytic firm CipherTrace, DeFi related thefts and hacks are on the rise while digital currency crime, in general, is declining.

When it comes to DeFi, you must proceed with caution and thoroughly research before investing. The DeFi ecosystem is very new, which means that there are several unexplored attack vectors and bugs waiting to be exploited. To add insult to injury, several DeFi projects do not get their code-audited and launch their projects with insecure infrastructure; and as we see with the Akropolis exploit, even if the project does get its code audited, it does not guarantee that it will be bullet-proof.

Bookmark
Please login to bookmarkClose
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates

explore

more

security