Several of the pools within the project’s Delphi Savings pool for yield farming were drained of over 2 million DAI, worth roughly $2 million.
“At ~14:36 GMT we noticed a discrepancy in the APYs of our stablecoin pools and identified that ~2.0mn DAI had been drained out of the yCurve and sUSD pools,” the project reported in a statement released the evening of November 12.
Curve is a protocol for trading stablecoins and earning interest. According to Akropolis, other Curve pools—bUSD and sBTC—as well as its Aave and Compound pools weren’t affected.
The attacks seemingly come as a surprise for Akropolis, which said the pools had undergone two independent audits. “However, the attack vectors used in the exploit were not identified in either audit,” it said “The essence of the exploit in question is a combination of a re-entrancy attack with dYdX flash loan origination.”
The hacker didn’t keep the stolen funds for long, immediately transferring the pilfered winnings to another wallet.
Akropolis has committed to reviewing the code and "exploring ways to reimburse users for the loss in a way that is sustainable for the project." While it does so, it's paused all stablecoin pools and says it has informed exchanges of the hack.
Late last month, Harvest Finance lost around $34 million in USDC and USDT stablecoin reserves due to a flash loan attack. Earlier in the year, bZx's margin-trading platform was the target of a $350,000 exploit.
Editor's note: This article has been updated from its original version with more information.