AKRO, ranked 268th by market capitalization on Coinpaprika, is trading at USD 0.0097 this morning (at 7:27 UTC). It dropped 19.88% in single day, trimming its weekly gains to 11%. Meanwhile, the price fell 40% in a month.
In the November 12 official announcement, the Akropolis team said that they had first noticed a discrepancy in the annual percentage yields (APYs) of their stablecoin pools at 14:36 UTC, which resulted in the finding that some DAI 2 million had been drained out of the yCurve and sUSD pools. Other pools named in the announcement have not been affected.
The majority of the funds are safe, the report said, and the stolen funds are held in this wallet, which currently holds USD 2,051,159 in the DAI stablecoin, USD 5,325 in ethereum (ETH), and less than a dollar in PKG Token (PKG).
“We are exploring ways to reimburse users for the loss in a way that is sustainable for the project, and will make a proposal to the community prior to any final decision being made,” said the announcement.
Even though the pools had been audited already and by two independent firms, said the team, there were still unidentified attack vectors left for the attacker to exploit. Akropolis founder and CEO Ana Andrianova tweeted that “[t]wo attack vectors have unfortunately been missed despite two audits.”
The attack itself was executed via “a combination of a re-entrancy attack with dYdX flash loan origination.” One of the most well-known re-entrancy attacks was the DAO hack in 2016, which drained it of some ETH 3.6m, at the time valued at some USD 50m. These types of attacks are not new, and they are “devastating for two reasons: they can completely drain your smart contract of its ether, and they can sneak their way into your code if you’re not careful,” wrote Solidity Engineer and Founder of APY.Finance, Will Shada, in a Coinmonks’ post.
All stablecoin pools are paused, said Akropolis, and exchanges informed about the issue, while the team has begun their work with the security specialists on reviewing the code and security procedures. A post-mortem will follow.
This is far from the first attack seen in the past few months alone, and the earlier ones often involved flashloan attacks. DeFi liquidity providing platform Balancer (BAL) was hacked at the end of June, which involved taking a flash loan in ethereum from the non-custodial exchange dYdX. In October, another DeFi project, Harvest Finance, also suffered a flashloan attack with millions in funds stolen.
Learn more: Rescuing USD 9.6 Million in Ethereum: The Fellowship of a Smart Contract