Security

Cryptocurrency Service ‘Akropolis’ Lost $2 Million to Hacker Attack

By Bill Toulas / November 14, 2020

‘Akropolis,’ a popular crypto-exchange platform, has found out about the existence of two critical vulnerabilities the hard way. According to the relevant announcement, a hacker has created a “flash-loan” to borrow funds from the service using a fake token, resulting in the stealing of about $2 million in DAI. To achieve that, the intruder exploited a flaw that concerns the absence of token verification and a re-entrance bug in the “transferFrom” function.

The fixes for the above have been applied and are already in the testing phase, but the "payout" for their discovery was pretty big. In the meantime, all stablecoin pools have been paused, the exchanges have been informed about the incident, all security processes are under scrutiny, and specialists are working feverishly to resolve all identified problems. The affected pools from where the DAI was drained are “Curve Y” and “Curve sUSD,” which had been previously audited. However, the attacker used bugs that weren’t identified by the auditors.

The wallet that holds the stolen files has been identified and is under monitoring, while all exchanges were informed accordingly not to accept any trades from it. It will be extremely hard for the attacker to move the funds around now, so the two million USD may remain stuck there for a while. This leaves the affected users in a difficult position, as there’s no clear reimbursement plan for them yet.

Akropolis has published an open letter addressed to the hacker, hoping that they will manage to convince the person to return the funds to their rightful owners. The platform offers a $200,000 bug bounty if the crypto is returned, which is a hefty amount.

The hacker was given 48 hours (13 hours ago) to decide whether he/she is willing to cooperate or not, after which law enforcement action will be pursued. Akropolis stated that they have not contacted any law enforcement authorities and that there’s no criminal investigation taking place yet.

Bugs in crypto exchange platforms are unfortunately an unavoidable reality, and skillful hackers know that they can get away with millions in just a couple of minutes if they devise a way to do it. Recently, we covered a catastrophic attack against ‘KuCoin,’ another one against ‘Harvest Finance,’ and even the potential for massive hacks against ‘Lykke’ and ‘Hubdex.’ In the case of Akropolis, not even the security audits carried out by two independent experts could save them from hackers.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: