Flash loans strike again in decentralized finance. Akropolis, a Gibraltar-based DeFi platform, has fallen victim to the latest attack, with hackers securing approximately $2 million in DAI from its sa
Flash loans strike again in decentralized finance. Akropolis, a Gibraltar-based DeFi platform, has fallen victim to the latest attack, with hackers securing approximately $2 million in DAI from its savings pools.
The incident surfaced around 14:36 GMT when Akropolis detected abnormalities in their stablecoin pool yields. Further analysis revealed the extent of the breach: approximately 2.0 million DAI had vanished from both the yCurve and sUSD reserve pools. The attack came from contract address 0xe2307837524Db8961C4541f943598654240bd62f.
The assault blended re-entrancy vulnerability with dYdX flash loan infrastructure. This lethal combination allowed the attacker to manipulate token flows across multiple steps within a single transaction. Once successful, the hacker transferred the $2 million DAI to another wallet instead of holding it.
The timing adds particular frustration: audits from two separate security firms had already reviewed these pools. Yet neither assessment caught the vulnerability that was ultimately exploited. Akropolis now must execute a thorough post-mortem analysis while crafting a compensation strategy that preserves the protocol's viability.
Relief comes in knowing most assets escaped unscathed. The Compound USDC, Compound DAI, AAVE bUSD, AAVE sUSD, Curve sBTC, and Curve bUSD pools all survived untouched. The ADEL and Native AKRO staking pools similarly dodged the strike.
In response, Akropolis halted all stablecoin pool operations and alerted exchanges to the situation. Security consultants are now partnering with the team to reinforce the platform's infrastructure.
Founder Ana Andrianova moved quickly to address online chatter about the incident. She disputed suggestions that this attack mirrors the Harvest Finance breach from last month, stressing that the two exploits differ fundamentally in their mechanics. That assault proved significantly more damaging, stripping Harvest of $34 million in USDC and USDT. Andrianova also differentiated this event from the $350,000 bZx incident earlier in the year, underscoring the constantly shifting landscape of DeFi vulnerabilities.
