With the billions of dollars floating around, it’s no surprise that hacks and software bugs keep popping up in the decentralized finance (DeFi) space.
To name one of the many recent weaknesses of DeFi contracts: Harvest Finance was hacked into Bitcoin Freedom for 25-33 million dollars – due to a so-called „flash loan attack“.
There was a flaw in the economic logic that the developers at Harvest ignored and that allowed a tech-savvy attacker to withdraw funds.
Similar attack vectors have been exploited with contracts like that of Eminence Finance, an Ethereum- based game that users have invested millions in even though there was no official launch announcement.
The hack transactions on Etherscan
Not to mention, there are a number of fatal mistakes. For example, the developers at Yearn.finance (YFI) had to fix a bug that would have allowed a user to steal $ 650,000 worth of stablecoins from one of their products.
The error was similar to the one used to withdraw funds from Harvest. Unfortunately, not all bugs are discovered and eliminated before they are exploited.
MakerDAO’s Stablecoins worth around $ 2 million were recently stolen from the Akropolis app. Akropolis is a full-fledged DeFi protocol that focuses on giving „normal people“ the opportunity to save their stablecoins and earn interest. Your savings product has now been exploited by an unknown attacker.
Acropolis Ethereum DeFi application hacked for $ 2 million
Early Thursday, Ethereum analysts and Acropolis users began to notice suspicious transactions in the Acropolis savings product called Delphi.
It quickly became clear that an attack had taken place. Data from the chain indicated that the DAI had been routed from Acropolis to an address that was interacting with the log dozens of times per minute – suggesting something was going on.
Within twenty minutes, the attacker sent dozens of transactions to a number of Acropolis Delphi savings pools, each time subtracting a sum of the DAI from the pool.
A total of 2,030,000 DAI were apparently illegally withdrawn from the Acropolis.
These stablecoins were sent to an address and have been there ever since. The alleged attacker has not yet sent a transaction from the address where the stolen funds are located.
How did that happen?
Crypto asset auditing and security firm PeckShield, which has been focusing on DeFi for the past few months, has broken down the details of the attack hours after it was carried out.
To keep it simple, the attacker used a lightning loan from dYdX to trick Akropolis‘ smart contracts into thinking they had deposited funds that the attacker really didn’t have. While some funds were being deposited, the attacker was provided with liquidity tokens worth more than the amount deposited, creating a discrepancy that could result in large withdrawals from the pool.
“The exploit resulted in a large number of pool tokens that were minted without being backed by valuable assets. The withdrawal of these coined pool tokens will then be exercised in order to deduct around 2.0 million DAI from the YCurve and sUSD pools concerned, ”said Peckshield.
Akropolis has also responded to the attack, writing that they are reviewing the code and looking for ways to compensate the affected users of the protocol.