DeFi project Akropolis exploited for over $2 million

Decentralized finance (DeFi) protocol Akropolis lost $2 million in DAI in an exploit on Thursday morning.

According to an update from the Akropolis team, a post-mortem analysis is forthcoming, and the team is exploring ways to reimburse those affected.

Akropolis is a DeFi lending and savings service provider that enables users to take out loans and generate yield on cryptocurrency deposits. The savings portion of the service, which utilizes Curve protocol, was exploited in the attack earlier in the day.


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

The contract address 0xe2307837524Db8961C4541f943598654240bd62f, which appears to the exploiter, executed a series of dYdX flash loan attacks on Akropolis' YCurve and sUSD savings pools before sending the resulting $2 million DAI to a different address: 0x9f26ae5cd245bfeeb5926d61497550f79d9c6c1c. The funds do not appear to have left that address as of the time of writing.

Flash loans allow users to borrow funds instantly, given they are returned within one transaction block, meaning users can take advantage of uncollateralized loans. In the case of the Akropolis attack, a combination of a re-entrancy attack and dYdX flash loan origination exploited the savings pools. The pools had been audited by two firms, according to Akropolis, but the attack vectors used by the hacker were not identified in either audit.

The majority of the funds on the protocol are safe, according to Akropolis. Compound DAI, Compound USDC, AAVE sUSD, AAVE bUSD, Curve bUSD and Curve sBTC were unaffected. Native AKRO and ADEL staking pools were also untouched. 

In the meantime, all stablecoin pools have been paused and exchanges have been informed of the hack. The Akropolis team is in discussions with security specialists as it reviews its development and security processes for the coming analysis.

About Author

Aislinn Keely is a reporter on The Block's policy team holding down the legal beat. She covers court decisions, bankruptcies, regulatory actions and other key moments in the legal sphere, putting them in context for the wider crypto industry. Before The Block, she lent her voice to the NPR affiliate WFUV and helmed Fordham University's student newspaper. Send tips or thoughts on all things policy and legal to or follow her on Twitter for updates @AislinnKeely.