High-profile security incidents continue to be a theme in 2022, with the Acala network joining a long list of stricken platforms to fall prey to exploits.
The Acala USD (aUSD) token, which acts as a native stablecoin for the Polkadot and Kusama blockchains, saw its value plummet 99% after a misconfiguration of the iBTC/aUSD liquidity pool was exploited after its launch on Sunday. Initial estimates from Acala noted that 1.2 billion aUSD was minted without the necessary collateral, seeing the token’s value depeg from its 1:1 peg with the U.S. dollar to a bottom of $0.01.
Acala put its network in maintenance mode to freeze funds and eventually managed to recoup a significant portion of the uncollateralized tokens. The Acala community proposed and voted on a referendum to identify and destroy the erroneously minted tokens to return its dollar peg to parity at $1.
A community governance referendum has been proposed and passed. At block 1652829 in approx. 35 minutes, 1,292,860,248 total erroneously minted aUSD will be returned to the honzon protocol and will be burned.— Acala (@AcalaNetwork) August 16, 2022
Details in thread below:
1,288,561,129 aUSD minted on 16 different accounts was returned to the network’s Honzon protocol to be burned. Another 4,299,119 erroneously minted aUSD remaining in the iBTC/aUSD reward pool was also destroyed.
While the cryptocurrency community considers whether the Acala Network took the right decision to essentially freeze its network, the stablecoin was able to be repegged in a short turnaround, with the community playing its role in the chosen path to undo the exploit.
1/ We’re aware of the issue concerning the aUSD depeg, the iBTC / aUSD pool included.— Interlay #iBTC (@InterlayHQ) August 14, 2022
Interlay is following Acala's investigation into this issue and also looking to see if and in what manner iBTC and user's funds are affected.
Interlay, a service that allows users to wrap Bitcoin (BTC) to iBTC and then use it across decentralized finance platforms, was drawn into the situation, as the iBTC/aUSD pool was chiefly affected by the exploit. Cointelegraph reached out to Interlay to ascertain the details of the incident and lessons to be taken forward. Acala, on the other hand, refused to comment.
While investigations are still ongoing, the theory is that the misconfiguration in the iBTC/aUSD pool allowed an attacker to mint an erroneous amount of aUSD. This then led to fears that the attacker would buy iBTC with the illicit aUSD tokens and convert that to BTC — which would have nullified Acala’s ability to recoup the tokens and restore its peg.
Interlay co-founder Alexei Zamyatin told Cointelegraph that the attack did not compromise the protocol despite having direct exposure to the affected liquidity pools:
“Acala did use iBTC in the affected pools alongside other non-Interlay assets, but the incident has not jeopardized Interlay as a network in any way. All system operations have been and remain fully functional."
The company’s incident trace report is being constantly updated to provide more information regarding the 16 addresses that received erroneously minted rewards.
2nd batch trace results + summary below. A total 3.022B aUSD error mints were claimed by 16 addresses. Acala referendum #21 burned ~1.292B. 1.682B aUSD error mints in iBTC/aUSD LP tokens, obtained after the incident happened, remain on 16 Acala addresses. https://t.co/8MTBinhrVP— Acala (@AcalaNetwork) August 17, 2022
According to the update, more than 3 billion aUSD was minted and claimed by the 17 flagged liquidity provider addresses. Following the Acala community referendum, some 1.29 billion was burned while another 1.6 billion aUSD minted in error remains on these 16 addresses on the Acala parachain.