Despite being around for years, securing cryptocurrency assets continues to be a challenge. Hence, joining the list of cryptocurrency attack victims, Akropolis emerges as the latest target. Reportedly, hackers stole $2 million worth of assets from Akropolis cryptocurrency service in a recent cyber attack.
Akropolis Service Suffered Cyber Attack
Cryptocurrency lending and borrowing service Akropolis has recently suffered a cyber attack. The hackers managed to infiltrate their systems and steal $2 million worth of cryptocurrency assets.
According to Acropolis, the service faced a ‘flash loan attack’ earlier this week. In a flash loan attack, the attackers apparently enter the system to loan funds. Later, they meddle with the code or use known exploits to bypass the loan process and steal funds.
As Akropolis elaborated in a notice on their website,
We noticed a discrepancy in the APYs of our stablecoin pools and identified that ~2.0mn DAI had been drained out of the Curve Y and Curve sUSD pools…
The essence of the exploit in question is a combination of a re-entrancy attack with dYdX flash loan origination.
In a subsequent update, They also disclosed the attackers’ wallet address.
Also, they elaborated on the two vulnerabilities that triggered the attack and the subsequent los of assets.
There exist two bugs related to the Deposit flow:
1. No check that tokens deposited are actually the ones registered in our contracts.
2. Re-entrance issue with “transferFrom” function which an attacker was able to exploit because of first bug.
Following the incident, Akropolis involved two independent firms to audit the pools. Also, as they investigated the matter, they confirmed that all other pools, except Curve Y and Curve sUSD pools, remained unaffected.
Moreover, they also informed other exchanges and involved security experts for resolution.
Besides, to avoid such incidents in the future, they have fixed the vulnerabilities. The patches include implementation of a check on the incoming tokens and applying Reentrancy Guard to block re-entrance attacks.
Additionally, they deployed some other fixes to ensure secure transactions in the future.
As for the losses, Akropolis is exploring strategies to reimburse the affected users safely.