Akropolis got hacked and hacker took out 2 million dollars in DAI, which is a stablecoin pegged to USD. Exploit involved its Curve savings pools.
This is the exploiter’s address, 0xe2307837524Db8961C4541f943598654240bd62f. Looks like they were executing batches of $50k attacks around 7 hours ago. And then they sent $2 million in gains in this transaction to a different address where it now sits.
While we don’t understand how Akropolis works, so I am going going out on a limb here and assume this was a similar price-manipulation attack that was performed on Harvest.
Two attack vectors have unfortunately been missed despite two audits. This is just a new, more efficient method of ensuring developers are fairly reimbursed for their hard work. On the surface it looks like some roll-your-own “share price” issue involving Curve again, but not entirely sure yet.
We think it is more in the “economic exploit” league once again. Looking further it comes down to the attacker depositing a token crafted to manipulate the output of a normalization function. Very interesting. Eager to see the post mortem of this.