An unknown attacker emptied the YCURVE and sUSD liquidity pools of the Akropolis project in DAI stablecoins for $2 million. He hacked smart contracts that have been audited twice.
According to the observations of analyst Steven Zheng, the hacker withdrew assets in tranches of 50,000 DAI for seven hours until the liquidity in the pools was completely exhausted.
Subsequently, the attacker transferred the funds to a new address.
The Akropolis DeFi project allows you to take loans and generate returns on cryptocurrency deposits.
According to the project statement, the pools have been tested by two independent audit firms. They did not find a vulnerability in the savings part of the service using the Curve protocol. The hacker carried out a series of attacks with the receipt of instant loans (flash loans). Such loans are returned within one block of transactions, allowing you not to use collateral.
The project team has started to implement a number of security procedures. All stablecoin pools are suspended, exchanges have received notifications. Third-party security specialists are studying the problem together with developers.
Funds in Compound DAI, Compound USDC, AAVE sUSD, AAVE bUSD, Curve bUSD and Curve sBTC, as well as in native AKRO and ADEL tokens were not affected and are safe.
The project is exploring ways to compensate users for losses and will submit its proposal in the near future.
Amid reports of hacking, the Akropolis (AKRO) exchange rate fell by 23% at the moment. The price reduction for the last day was 18.9%.
AKRO/USD hourly chart from CoinGecko.
The incident as a whole did not affect the decentralized finance sector. According to DeFi Pulse, the volume of blocked funds in the protocols set a new record of $13.74 billion.
Recall that at the end of October, a hacker withdrew $19.8 million from the Harvest Finance platform through manipulation of stablecoin rates in the Curve DeFi protocol.