DeFi Platform Acala’s Stablecoin Falls 99% After Hackers Issue 1.3B Tokens
A bug in the protocol’s newly deployed iBTC-aUSD liquidity pool left the door wide open for hackers to exploit.
Polkadot-based decentralized finance (DeFi) platform Acala’s native stablecoin, aUSD, depegged on Sunday, plummeting 99% after hackers exploited a bug in a newly deployed liquidity pool to mint 1.28 billion tokens.
- Acala developers said the bug was caused by a misconfiguration of the iBTC/aUSD liquidity pool shortly after it went live on Sunday. A liquidity pool is a digital pile of cryptocurrency locked in a smart contract, which results in creating liquidity for faster transactions on decentralized exchanges (DEX) and DeFi protocols.
- After noticing the exploit, the Acala team disabled the transfer functionality of the “erroneously minted aUSD” remaining on the Acala parachain. Parachains refer to custom, project-specific blockchains that are integrated within the Polkadot and Kusama networks and can be customized for any number of use cases.
- A wallet believed to belong to the attacker still contains approximately 1.27 billion aUSD. Acala has asked white-hat hackers to return the stolen funds to Polkadot or Moonbeam addresses.
- On-chain sleuths have pointed out that the attacker who minted 1.28 billion aUSD was not the only person to take advantage of the bug – several other users allegedly stole thousands of dollars worth of DOT from the liquidity pool.
- The Twitter account @alice_und_bob estimated that the "damage" was $0 to $10 million, "likely around 1.6M USD with chance of recovery."
- Launched earlier this year, aUSD successfully held its soft peg to the U.S. dollar until the hack. After the attack, the price of aUSD plunged from roughly $1.03 per token to $0.009.
- Acala developers said Sunday night that would continue to trace the on-chain activity to resolve the error mint of aUSD and try to restore aUSD peg.
- Later on Monday, Acala community members created a proposal that would result in the return of all erroneously minted aUSD to the protocol and the tokens later being burnt.
- Acala did not return requests for comments at press time.
UPDATE (Aug. 15, 07:41 UTC): Adds clarifying information throughout.
UPDATE (Aug. 15, 13:10 UTC): Adds details about the community proposal in the seventh bullet.
UPDATE (Aug. 15, 13:10 UTC): Adds estimate of damage from Twitter user @alice_und_bob.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.
Learn more about Consensus 2023, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.