- Akropolis lost $2 million in breach despite independent audit.
- The funds were stolen from liquidity pools connected to the project.
- User funds and staking pools were not affected.
Share this article
According to reports within the crypto community, Akropolis, an Ethereum-based DeFi lending platform, was attacked this week.
The attacker managed to execute a $50,000 exploit 40 times, netting $2 million of DAI in total.
Akropolis confirmed the attack on Twitter:
The funds were not stolen from users. Rather, the stolen funds were drained from Akropolis’ Curve pools, which supply the project with liquidity.
Technology Lead Alex Maz stated on Discord that the attack affected Akropolis’ “Curve Y and Curve sUSD pools only.”
Akropolis Hacked Despite Security Audits
Before the attack, Akropolis underwent two security audits performed by CertiK, auditor of the recently hacked Axion project, and another unknown security group. CertiK has stated that the Axion incident was an inside job.
Speaking to CryptoBriefing about the Akropolis hack, CertiK COO Daryl Hok said:
“I think the main takeaway here is that: security audits are never meant to guarantee that a project is infallible; rather they are utilized to guarantee that the security of a given codebase is of a high standard.”
Akropolis founder and CEO Ana Androva said that despite being audited twice, “two attack vectors have unfortunately been missed.” The crypto community has speculated that the exploit might resemble the attack performed against Harvest in late October because each attack involved the respective project’s Curve Y pools.
However, Androva says that the attacks are not connected. Akropolis released a post-mortem of the hack on Nov. 13, citing two bugs in the code:
The hacker allegedly created a flash loan to borrow funds with a fake token in the hacker’s own smart contract. As the funds were being transferred, the hacker executed another deposit using $800,000 worth of real DAI borrowed from dYdX.
The fake token loan raised the balance of the liquidity pool. When the real loan was initiated, Akropolis minted the same tokens twice, allowing the hacker to withdraw double the intended amount.
Akropolis is now monitoring incoming tokens and adding a Reentrancy Guard feature to prevent the same exploit from happening again.
Share this article
The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.
You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.
See full terms and conditions.
Source: Read Full Article