Akropolis (Delphi savings pool): Flash loan + fake token reentrancy — malicious ERC20 deposit triggers re-entrant deposit() before balance update
Akropolis lost $2M DAI when an attacker exploited a reentrancy in the deposit function using a fake ERC20 token — a bug that survived reviews by three separate auditors over eight hours of repeated $50K batch attacks.
Summary #
Akropolis (Delphi savings pool) suffered a Yield Aggregator / Savings Pool on 2020-11-12, resulting in a loss of approximately $2M.
What happened #
Akropolis lost $2M DAI when an attacker exploited a reentrancy in the deposit function using a fake ERC20 token — a bug that survived reviews by three separate auditors over eight hours of repeated $50K batch attacks.
Linked factors #
- RD-F-008 — illustrative : Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — reentrancy bug survived three audits]
- RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Repeated $50K batch attacks for ~8 hours before discovery]