Akropolis DeFi protocol ‘paused’ as hackers get away with $2M in DAI

Hackers were reportedly able to exploit savings pools at Gibraltar-based decentralized finance protocol Akropolis, getting away with more than $2 million in stablecoins. 

The firm stated on Twitter on Nov. 12 that it had identified a hack “executed across a body of smart contracts in the savings pools.” Akropolis said the areas targeted by the hackers had already been audited twice, and only included “Curve Y and Curve sUSD savings pools.”

Ethereum blockchain records show the hackers got away with more than 2,030,850 Dai by exploiting these savings pools. They then moved the funds to a different address.

Akropolis has since issued a statement on its website stating that “the majority of funds” are safe and it would be pausing all stablecoin pools. The firm added that it was “exploring ways” to reimburse affected users.

Akropolis founder and CEO Ana Andrianova has disputed claims that the attack was executed in a similar manner to the one on decentralized finance protocol Harvest Finance in October. In that case, hackers were able to exploit more than $24 million from the DeFi project’s pools and swap it for renBTC (rBTC). Akropolis stated that the exploit used was “a combination of a re-entrancy attack with dYdX flash loan origination.”

CertiK, the security company firm that audited Akropolis’ smart contracts, seemingly missed the two attack vectors used by the hackers in this case. The company also reportedly conducted audits on lending protocol bZx, which has been attacked three times this year. 

Data from crypto analytics firm CipherTrace reported on Tuesday suggest that while hacks on decentralized finance protocols were “virtually negligible” in 2019, they now account for 20% of crypto losses from thefts and hacks.

“The surge in DeFi was what ultimately attracted criminal hackers, resulting in the most hacks for the sector this year,” stated the report.