DeFi Platform Acala’s Stablecoin Falls 99% After Hackers Issue 1.3B Tokens

A bug in the protocol’s newly deployed iBTC-aUSD liquidity pool left the door wide open for hackers to exploit.

AccessTimeIconAug 15, 2022 at 8:52 a.m. UTC
Updated May 11, 2023 at 6:42 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Polkadot-based decentralized finance (DeFi) platform Acala’s native stablecoin, aUSD, depegged on Sunday, plummeting 99% after hackers exploited a bug in a newly deployed liquidity pool to mint 1.28 billion tokens.

  • Acala developers said the bug was caused by a misconfiguration of the iBTC/aUSD liquidity pool shortly after it went live on Sunday. A liquidity pool is a digital pile of cryptocurrency locked in a smart contract, which results in creating liquidity for faster transactions on decentralized exchanges (DEX) and DeFi protocols.
  • After noticing the exploit, the Acala team disabled the transfer functionality of the “erroneously minted aUSD” remaining on the Acala parachain. Parachains refer to custom, project-specific blockchains that are integrated within the Polkadot and Kusama networks and can be customized for any number of use cases.
  • A wallet believed to belong to the attacker still contains approximately 1.27 billion aUSD. Acala has asked white-hat hackers to return the stolen funds to Polkadot or Moonbeam addresses.
  • On-chain sleuths have pointed out that the attacker who minted 1.28 billion aUSD was not the only person to take advantage of the bug – several other users allegedly stole thousands of dollars worth of DOT from the liquidity pool.
  • The Twitter account @alice_und_bob estimated that the "damage" was $0 to $10 million, "likely around 1.6M USD with chance of recovery."
  • Launched earlier this year, aUSD successfully held its soft peg to the U.S. dollar until the hack. After the attack, the price of aUSD plunged from roughly $1.03 per token to $0.009.
  • Acala developers said Sunday night that would continue to trace the on-chain activity to resolve the error mint of aUSD and try to restore aUSD peg.
  • Later on Monday, Acala community members created a proposal that would result in the return of all erroneously minted aUSD to the protocol and the tokens later being burnt.
  • Acala did not return requests for comments at press time.

UPDATE (Aug. 15, 07:41 UTC): Adds clarifying information throughout.

UPDATE (Aug. 15, 13:10 UTC): Adds details about the community proposal in the seventh bullet.

UPDATE (Aug. 15, 13:10 UTC): Adds estimate of damage from Twitter user @alice_und_bob.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Cheyenne Ligon

Cheyenne Ligon is a CoinDesk news reporter with a focus on crypto regulation and policy. She has no significant crypto holdings.

Shaurya Malwa

Shaurya is the Deputy Managing Editor for the Data & Tokens team, focusing on decentralized finance, markets, on-chain data, and governance across all major and minor blockchains.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.