On Thursday, November 12th, the DeFi platform Akropolis–which allows users to earn interest on deposits as well as borrow–was the victim of an exploit that resulted in roughly $2 million in stolen funds. The attacker, who has not been identified yet, was able to exploit Akropolis by taking out flash loans and making use of a flaw within the Akropolis smart contract.
The attacker was able to make off with roughly $2 million worth of the stablecoin DAI by draining Akropolis’s YCurve and sUSD pools. The stolen funds are currently sitting in a wallet that has already been marked as “the Akropolis hackers wallet”
How it happened
According to Akropolis’s post-mortem report,
The hacker created a flash-loan to borrow funds then called SavingsModule.deposit() with fake token (his own contract 0xe2307837524db8961c4541f943598654240bd62f)
During “transferFrom” of this fake token, he executed another deposit with real 800k DAI borrowed from DyDx.
The balance of the pool was actually increased during the first deposit and as a result, our PoolTokens were minted twice.
Thus he was able to withdraw almost double the amount.
What’s unique about the Akropolis exploit, is that unlike many of the other DeFi projects in the space, Akropolis claims to have been independently audited twice. Regardless, Akropolis Founder and CEO Ana Andrianova says that the two attack vectors exploited to pull of this attack were missed during the audits.
Shortly after the attack took place, Akropolis, halted trading in all of its stablecoin pools, informed digital currency exchanges of the exploit, and put their development team and security specialists to work to create a patch.
The DeFi death toll rises
Several DeFi exploits have taken place in 2020. According to blockchain analytic firm CipherTrace, DeFi related thefts and hacks are on the rise while digital currency crime, in general, is declining.
When it comes to DeFi, you must proceed with caution and thoroughly research before investing. The DeFi ecosystem is very new, which means that there are several unexplored attack vectors and bugs waiting to be exploited. To add insult to injury, several DeFi projects do not get their code-audited and launch their projects with insecure infrastructure; and as we see with the Akropolis exploit, even if the project does get its code audited, it does not guarantee that it will be bullet-proof.