Decentralized finance (defi) protocol Akropolis was recently hacked for $2 million in DAI, in the most recent flash loan attack to hit the 'nascent defi industry'.
When the attack occurred, (GMT timezone) Akropolis admins stopped all transactions on the platform to forestall further losses.
In a statemen on Nov. 12, Akropolis revealed that the hack was executed over an assemblage of s contracts in its "savings pools".
The attacker stole the platform's Ycurve pool in batches of $50,000 in the stablecoin DAI. This specific pool permits investors to trade stablecoins and procure interest.
Despite the fact that Akropolis says that it recruited two firms to further investigate the incident, yet unfortunately neither one of the companies were able to pinpoint the attack vectors utilized in the exploit.
“At ~14:36 GMT we noticed a discrepancy in the APYs of our stablecoin pools and identified that ~2.0mn DAI had been drained out of the Ycurve and sUSD pools,” revealed Akropolis.
The hacker though was still able to discover loop holes to exploit, wiring his 'loot' to this address. Akropolis clarified additionally: “The attack vectors used in the exploit were not identified in either audit. The essence of the exploit in question is a combination of a re-entrancy attack with Dydx flash loan origination.”
Flash loan attacks have gotten rather common against cryptocurrency services running DeFi (decentralized financed) platforms that enables users to either borrow or loan 'using cryptocurrency, speculate on price variations, and earn interest on cryptocurrency savings-like accounts.'
These attacks are noticed to have been on a quite steady rise since early February this year, and one of the biggest flash loan attacks occurred just a month ago, in October, when hackers stole $24 million worth of cryptocurrency assets from DeFi service Harvest Finance.
Others pools were fortunately not affected. These included compound DAI, compound USDC, AAVE sUSD, AAVE bUSD, curve bUSD, curve sBTC. Native AKRO and ADEL staking pools were also left untouched.
Nonetheless, the Akropolis group said that it is still looking for approaches to repay the affected user “in a way that is sustainable for the project”. All stable coin pools have been put on a hold currently, it added.