At ~14:36 GMT we noticed a discrepancy in the APYs of our stablecoin pools and identified that ~2.0mn DAI had been drained out of the yCurve and sUSD pools.
These pools had been audited by two independent firms, however, the attack vectors used in the exploit were not identified in either audit. The essence of the exploit in question is a combination of a re-entrancy attack with dYdX flash loan origination.
The Akropolis team is currently working through a number of security procedures. The majority of funds on Akropolis are safe. Here is the current status:
YCurve and sUSD pools were drained of ~DAI 2.0mn
The stolen funds are currently held in this wallet: https://etherscan.io/address/0x9f26ae5cd245bfeeb5926d61497550f79d9c6c1c
Compound DAI, Compound USDC, AAVE sUSD, AAVE bUSD, Curve bUSD, Curve sBTC;
Native AKRO and ADEL staking pools.
All stablecoin pools are paused;
Security specialists have been engaged;
Our dev and security processes are being reviewed
We are reviewing the code and security procedures, and will publish a post-mortem with our analysis as soon as possible;
We are exploring ways to reimburse users for the loss in a way that is sustainable for the project, and will make a proposal to the community prior to any final decision being made.
We are extremely grateful for the many expressions of support and offers of help we have received in what is a challenging day for our team.
The Akropolis Team