Cryptocurrency platform dangles ‘bug bounty’ carrot to hacker who stole $2 million

Akropolis has not yet gone to law enforcement, giving the hacker time to consider the proposal.
Written by Charlie Osborne, Contributing Writer

Akropolis has offered the hacker who stole $2 million in Dai cryptocurrency a "bug bounty" reward in return for the missing funds.

In an open letter published on Medium, the cryptocurrency "community economy" platform proposed a $200,000 "reward" for the threat actor's cooperation. 

See also: Chinese city launches cryptocurrency lottery, gives away digital coins to promote adoption

Describing the bug bounty payment "as compensation for your exploit," Akropolis said it "hope[s] that the hacker will take our offer into consideration and cooperate with the team to resolve the issue."

The platform revealed the theft of cryptocurrency from its platform last week. As previously reported by ZDNet, transactions were temporarily paused to stop more Dai tokens from being stolen in what is known as a "flash loan" attack.

Flash loan attacks occur on decentralized finance (DeFi) platforms. An attacker loans funds but then exploits a security weakness -- such as a vulnerability -- to bypass loan mechanisms and walk away with the cryptocurrency they have 'borrowed.' 

CNET: The best DIY home security systems for 2020

Since the cyberattack, Akropolis has internally investigated the exploit and is currently fixing "contract-level" issues. The company has also launched an external analysis of the incident together with partners and investors. 

However, Akropolis has chosen not to go to law enforcement -- yet -- in the hope that the hacker will agree to the firm's proposal. 

"We would like to propose that you return the funds of our community members within 48 hours and in return, we will offer a $200,000 bug bounty," Akropolis said. "We will take measures to protect your identity as required. If you decide not to cooperate we will pursue criminal action and contact law enforcement."

TechRepublic: How to secure your Zoom account with two-factor authentication

There is no word as of yet, over 48 hours later, if the hacker responsible has accepted this proposal -- or what Akropolis' next course of action may be. At the time of writing, the stolen Dai coins are still being held in a blacklisted, attacker-controlled wallet. 

In a project update on November 16, Akropolis said the threat actor was able to exploit the "flawed handling of the deposit logic in the SavingsModule smart contract."

"The exploitation leads to a large number of pool tokens minted without being backed by valuable assets," the company added. 

Checks for deposit tokens and whitelist functions have now been implemented. Akropolis is currently working on adding test coverage for staking pools, boosting security check-ups, and deciding on how to compensate users. The platform is also on the hunt for two new senior developers to join the team. 

ZDNet has reached out to Akropolis for additional comment and will update when we hear back.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards