Share this article

DeFi Project Akropolis Drained of $2M in DAI

Decentralized finance platform Akropolis’ yCurve pools have been drained resulting in the loss of $2 million.

Updated Sep 14, 2021, 10:30 a.m. Published Nov 12, 2020, 7:51 p.m.

miltiadis-fragkidis-LTRB5CiM0Yo-unsplash

Decentralized finance (DeFi) platform Akropolis has suffered a $2 million loss following a re-entrancy attack utilizing a flash loan from derivatives platform dYdX, according to Akropolis founder and CEO Ana Andrianova.

STORY CONTINUES BELOW

Don't miss another story.Subscribe to the The Protocol Newsletter today. See all newsletters

By signing up, you will receive emails about CoinDesk products and you agree to our terms of use and privacy policy.

The attacker pulled out tranches of $50,000 in DAI from the project’s yCurve and sUSD pools, according to The Block researcher Steven Zheng and Andrianova. The attacker collected $2 million worth of the stablecoin before exhausting the pools.
A re-entrancy attack allows a user to withdraw more funds from a contract than the contract holds. Ethereum's 2016 The DAO hack was also a re-entrancy attack.
Akropolis’ Delphi savings pool was audited twice, the team said in the Discord, once by CertiK and also by firms SmartDec and Pessimistic.
Andrianova told CoinDesk an autopsy of the attack will be released Friday.

Not quite, we will publish a detailed retro shortly. Two attack vectors have unfortunately been missed despite two audits. I will link a post-mortem and next steps here.
— Ana A. (@ana_andrianova) November 12, 2020

Update (November 12, 22:00 UTC): New communications from Akropolis including the type of attack have been added.

DeFi Exploits Akropolis

William Foxley

Will Foxley is the host of The Mining Pod and publisher at Blockspace Media. A former co-host of CoinDesk's The Hash, Will was the director of content at Compass Mining and a tech reporter at CoinDesk.