Atlantis Loans: Governance attack on abandoned protocol — attacker passed malicious proposal granting token contract control, then upgraded to drain addresses with active approvals
Atlantis Loans was abandoned by its developers in April 2023 — but its governance still worked, and an attacker used it to pass a malicious proposal, take control of the token contracts, and drain $2.5M from addresses that never revoked their approvals.
Summary #
Atlantis Loans suffered a Lending / Money Market on 2023-06-10, resulting in a loss of approximately $3M.
What happened #
Atlantis Loans was abandoned by its developers in April 2023 — but its governance still worked, and an attacker used it to pass a malicious proposal, take control of the token contracts, and drain $2.5M from addresses that never revoked their approvals.
Linked factors #
- RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — attacker deployed malicious upgrade post-governance takeover]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None (project abandoned)]
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — the malicious governance proposal was the root cause]
- RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Likely a Compound/Aave fork (BSC lending)]
- RD-F-127 — related : Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Likely a Compound/Aave fork (BSC lending)]