Last Update Timestamp: 08 Dec 2020, 1500GMT. Any material updates will be shared via all our social media channels.

Started at 11:50:41 AM +UTC, 12 November 2020, Akropolis was attacked by exploiting its flawed handling of the deposit logic in its SavingsModule smart contract. The hack results in a loss of 2,030,841.0177 DAI from the affected YCurve and sUSD pools. The stolen funds are currently held here: https://etherscan.io/address/0x9f26ae5cd245bfeeb5926d61497550f79d9c6c1c. The account has been blacklisted.

Incident Summary

This incident was due to a bug in the protocol without (1) validating the supported tokens and (2) enforcing reentrancy protection on the deposit logic. The exploitation leads to a large number of pooltokens minted without being backed by valuable assets. The redemption of these minted pooltokens is then exercised to drain about 2.0mn DAI from the affected Curve Y and Curve sUSD pools.

Third-party Reviews

Status Update: 24 Nov 2020

What’s Been Done

Basic operations without rewards:

✅ Stake;

✅ Full unstake.

Basic operations with rewards via RewardVestingModule:

✅ Stake, receiving rewards, unstake.

Operations with limits: