Delphi Savings Pool Exploit

November 12, 2020

At ~14:36 GMT we noticed a discrepancy in the APYs of our stablecoin pools and identified that ~2.0mn DAI had been drained out of the yCurve and sUSD pools.

These pools had been audited by two independent firms, however, the attack vectors used in the exploit were not identified in either audit. The essence of the exploit in question is a combination of a re-entrancy attack with dYdX flash loan origination.

The Akropolis team is currently working through a number of security procedures. The majority of funds on Akropolis are safe. Here is the current status:

Affected Pools:

• YCurve and sUSD pools were drained of ~DAI 2.0mn

• The stolen funds are currently held in this wallet: https://etherscan.io/address/0x9f26ae5cd245bfeeb5926d61497550f79d9c6c1c

Not Affected:

• Compound DAI, Compound USDC, AAVE sUSD, AAVE bUSD, Curve bUSD, Curve sBTC;

• Native AKRO and ADEL staking pools.

Actions taken:

• All stablecoin pools are paused;

• Exchanges informed;

• Security specialists have been engaged;

• Our dev and security processes are being reviewed

Next Steps:

• We are reviewing the code and security procedures, and will publish a post-mortem with our analysis as soon as possible;

• We are exploring ways to reimburse users for the loss in a way that is sustainable for the project, and will make a proposal to the community prior to any final decision being made.

We are extremely grateful for the many expressions of support and offers of help we have received in what is a challenging  day for our team.

Thank you,

The Akropolis Team