Decentralized finance (DeFI) protocol Akropolis lost $2 million in DAI in a flash-loan attack last Thursday.
According to the cryptocurrency lending and savings service, a protocol vulnerability allowed the attacker to siphon the funds without enabling the platforms’ loan mechanisms.
In a statement on November 13, Akropolis said the “attack vectors used in the exploit were not identified” during audits conducted by two contracted firms.
“These pools had been audited by two independent firms, however, the attack vectors used in the exploit were not identified in either audit,” the company said. “The essence of the exploit in question is a combination of a re-entrancy attack with dYdX flash loan origination.”
Although “the majority of funds on Akropolis are safe,” the DeFi project is now exploring ways to reimburse any impacted individuals.
During an internal investigation, the company found the Ethereum account in which the attacker transferred the funds. In an attempt to negotiate with the perp, the company wrote an open letter urging him to cooperate and restore the funds to community members in return for a $200,000 bug bounty.
“We would like to propose that you return the funds of our community members within 48 hours and in return we will offer a $200,000 USD bug bounty,” the letter reads. “We will take measures to protect your identity as required. If you decide not to cooperate we will pursue criminal action and contact law enforcement. We hope that we can work together towards a resolution, thank you for your time.”
At the time of writing, there have been no signs of good faith from the attacker, and it seems the company will need to find a different way to reimburse affected members.
Despite this drawback, Akropolis has shown full disclosure of the attack, confirming a number of fixes at the contract level to avoid any similar incidents.