- Akropolis lost $2 million in breach despite independent audit.
- The funds were stolen from liquidity pools connected to the project.
- User funds and staking pools were not affected.
Share this article
According to reports within the crypto community, Akropolis, an Ethereum-based DeFi lending platform, was attacked this week.
The attacker managed to execute a $50,000 exploit 40 times, netting $2 million of DAI in total.
Akropolis confirmed the attack on Twitter:
We recently identified a hack executed across a body of smart contracts in the “savings pools” that have been audited twice. We are working with security specialists and on-chain analytics providers and aim to make a more detailed statement shortly. Thank you for your patience.
— Akropolis (@akropolisio) November 12, 2020
The funds were not stolen from users. Rather, the stolen funds were drained from Akropolis’ Curve pools, which supply the project with liquidity.
Technology Lead Alex Maz stated on Discord that the attack affected Akropolis’ “Curve Y and Curve sUSD pools only.”
Akropolis Hacked Despite Security Audits
Before the attack, Akropolis underwent two security audits performed by CertiK, auditor of the recently hacked Axion project, and another unknown security group. CertiK has stated that the Axion incident was an inside job.
Speaking to CryptoBriefing about the Akropolis hack, CertiK COO Daryl Hok said:
“I think the main takeaway here is that: security audits are never meant to guarantee that a project is infallible; rather they are utilized to guarantee that the security of a given codebase is of a high standard.”
Akropolis founder and CEO Ana Androva said that despite being audited twice, “two attack vectors have unfortunately been missed.” The crypto community has speculated that the exploit might resemble the attack performed against Harvest in late October because each attack involved the respective project’s Curve Y pools.
However, Androva says that the attacks are not connected. Akropolis released a post-mortem of the hack on Nov. 13, citing two bugs in the code:
- No check that tokens deposited are actually the ones registered in our contracts.
- Re-entrance issue with “transferFrom” function, which an attacker could exploit because of the first bug.
The hacker allegedly created a flash loan to borrow funds with a fake token in the hacker’s own smart contract. As the funds were being transferred, the hacker executed another deposit using $800,000 worth of real DAI borrowed from dYdX.
The fake token loan raised the balance of the liquidity pool. When the real loan was initiated, Akropolis minted the same tokens twice, allowing the hacker to withdraw double the intended amount.
Akropolis is now monitoring incoming tokens and adding a Reentrancy Guard feature to prevent the same exploit from happening again.