With billions of dollars at stake, it’s no surprise that the decentralized finance (DeFi) space has been filled with hacks and exploits on innocent contracts.
To name one of the many recent exploits of DeFi contracts, Harvest Finance was hacked for $ 25-33 million in stablecoins due to a so-called “flash loan attack”. There was a flaw in economic logic that the developers of Harvest ignored, allowing a technically capable attacker to drain funds.
Similar attack vectors have been exploited with contracts like that of Eminence Finance, an Ethereum-based game in which users invest millions despite no official launch announcement.
Not to mention, there are a number of groundbreaking bugs that are fixed before they can be exploited. For example, the developers of Yearn.finance (YFI) had to fix a bug that would have allowed a user to steal $ 650,000 worth of stablecoins from one of their products. The insect was similar to the one used to drain Harvest bottoms.
Unfortunately, not all bugs can be detected before they are exploited.
Today, MakerDAO’s $ 2 million worth of DAI stablecoin was drained from Akropolis. Akropolis is a full-stack DeFi protocol that focuses on allowing “normies” to save and earn money on their stablecoins. Their savings product is one that was exploited by an unknown attacker.
The Ethereum DeFi Akropolis application was hacked for $ 2 million
Early Thursday, Ethereum analysts and Akropolis users began noticing suspicious transactions involving Akropolis’s savings product, called Delphi.
It quickly became clear that an attack had taken place.
Data on the chain indicated that DAI from Akropolis had been channeled to an address interacting with the protocol dozens of times per minute, suggesting that something was going on.
Within twenty minutes, the attacker sent dozens of transactions to a number of Delphi savings pools in Akropolis, each time draining a sum of DAI from the pool’s total.
In all, 2,030,000 DAI had been withdrawn from Akropolis ostensibly illicitly.
Those stablecoins were sent to an address and have remained there ever since. The apparent attacker has yet to send a transaction from the address where the exploited funds are located.
What happened?
Crypto-asset audit and security firm PeckShield, which has been focusing on DeFi for the past few months, analyzed the details of the attack hours after it happened.
To put it simply, the attacker used a flash loan from dYdX to trick Akropolis’ smart contracts into believing he had deposited funds that the attacker didn’t actually have. While some funds were being deposited, the attacker was provided with liquidity tokens of more than the deposited amount, creating a discrepancy that could lead to large withdrawals from the pool.
“The exploitation has resulted in a large number of billiard tokens being minted without being backed by valuable resources. The redemption of these minted pooltokens is then exercised to drain approximately 2.0 million DAI from the affected YCurve and sUSD pools, ”Peckshield wrote.
Akropolis also responded to the attack, writing that they are reviewing the code and looking for ways to reimburse protocol users who have been affected.
Only two of the ten pools on the platform were affected.
Do you like what you see? Sign up for daily updates.