A cryptography borrowing and savings company has offered an attacker $200,000 as a bug bounty in return for the $2m in funds they stole late last week.
Gibraltar-based Akropolis was attacked on Thursday, when an individual exploited a bug in the deposit logic of its SavingsModule smart contract to make off with a little over two million in DAI virtual currency.
However, the firm’s security company PeckShield claimed to have located the attacker’s Ethereum account, where the funds were transferred to, and said it is monitoring it for any further movement.
This could make it more challenging for the attacker to launder those funds, which might be why Akropolis published an open letter to them over the weekend.
“We have not contacted any form of law enforcement to pursue a criminal investigation. We would like to propose that you return the funds of our community members within 48 hours and in return we will offer a $200,000 USD bug bounty. We will take measures to protect your identity as required,” it said.
“If you decide not to co-operate we will pursue criminal action and contact law enforcement. We hope that we can work together towards a resolution, thank you for your time.”
In the meantime, Akropolis said it has fixed the issue at a contract level, performed an internal investigation with auditors and an external one with investors and exchange partners.
An attack on another decentralized finance (DeFi) protocol firm, Harvest Finance, at the end of October led to the theft of $24m. On that occasion the firm offered a $100,000 reward for the first person to contact the attacker and help them return the funds.