
Chengdu ChainSecurity: Analysis of the Reentrancy Attack on DeFi Lending Protocol Akropolis
TechFlow Selected TechFlow Selected

Chengdu ChainSecurity: Analysis of the Reentrancy Attack on DeFi Lending Protocol Akropolis
Akropolis, as a DeFi lending and storage service provider, uses the Curve protocol for its storage component, which was exploited in the attack earlier that day.
Recently, the DeFi lending protocol Akropolis was attacked by hackers. Ana Andrianova, founder and CEO of Akropolis, stated that the attacker exploited flash loans on the derivatives platform dYdX to carry out a reentrancy attack, resulting in a loss of $2 million.
After receiving an alert from Beosin-Eagle Eye, its self-developed blockchain security threat awareness platform, the Chengdu Chain Security (Beosin) team immediately investigated the incident and found:
1. Akropolis was indeed attacked
2. The attacker's contract address is
0xe2307837524db8961c4541f943598654240bd62f
3. The attack method was a reentrancy attack
4. The attacker profited approximately $2 million
Attack Method Analysis
By analyzing on-chain transactions, it was discovered that the attacker minted tokens twice, as shown in the figure below:


However, according to transaction call data from oko.palkeo.com, the attacker only called the deposit function once, as shown in the figure below:

By tracing the function calls, the Chengdu Chain Security team discovered that when calling the deposit function, the attacker set the token parameter to their own malicious contract address. When the contract executed transferFrom, it called the user-specified contract address, as shown in the figure below:

Code analysis revealed that during the deposit function call, users can specify the token parameter, as shown in the figure below:

The depositToprotocol function called within deposit contains a call to the safeTransferFrom function of the specified tkn address, allowing the attacker to construct a "safeTransferFrom" function to perform a reentrancy attack.

Incident Summary
As a DeFi lending and storage service provider, Akropolis uses the Curve protocol for its storage component, which had been exploited earlier that day. The attacker withdrew $50,000 worth of DAI from the project’s yCurve and sUSD pools, ultimately stealing a total of $2 million worth of DAI before draining these pools.
In this attack, the hacker used a reentrancy attack combined with dYdX flash loans to drain the liquidity pool. Asset pools are critical defense points in protocols. Project teams must prioritize security prevention and protective measures for such funds. Especially given the evolving tactics of attackers, regular comprehensive audits and code upgrades are essential.
Finally, Chengdu Chain Security strongly urges project teams never to overlook security audits and regular inspections, while investors should remain vigilant about security and mindful of investment risks.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News














