Decentralized finance (DeFi) project Akropolis has lost over $2 million in DAI after hackers managed to exploit it via a flash loan taken out on dYdX. Akropolis is a DeFi lending and savings service provider.

On social media, the team behind Akropolis stated it identified a hack was executed “across a body of smart contracts in the savings pools,” and added that the areas targeted by the hackers had already been audited twice.

Akropolis has revealed in a blog post that over 2 million DAI were drained from its yCurve and sUSD pools, and that the exploits had not been identified in either audit. The attack, the team wrote, came from a “combination of a re-entrancy attack with dYdX flash loan origination.”

The team behind the project quickly paused all stablecoin pools reacting to the attack, and clarified in its analysis that its other stablecoin pools were not affected, nor were its staking pools. Cryptocurrency exchanges have already been informed, and security specialists were contacted.

The post adds:

We are exploring ways to reimburse users for the loss in a way that is sustainable for the project, and will make a proposal to the community prior to any final decision being made.

Blockchain data shows that the hacker has 11.5 ether in its wallet, as well as the 2.03 million DAI it drained from Akropolis. On social media the project’s founder and CEO Ana Andrianova claimed the exploit wasn’t similar to the one used against Harvest Finance in October.

Akropolis was audited by security firm CertiK, which seemingly missed two exploited attack vectors. CertiK, it’s worth noting, reportedly also conducted audits on bZx, a lending protocol that was exploited three times this year.

Featured image via Pixabay.