- Hackers exploited a misconfiguration in the newly launched iBTC/aUSD liquidity pool.
- Acala network joins the list of platforms to fall prey to exploits.
Since the beginning of this year, there have been a lot of high-profile security incidents in the crypto and blockchain space. The Acala network is the latest to join the list of platforms exploited by hackers. The value of the network’s stablecoin (aUSD token) dropped by 99 percent following an exploit on its newly launched liquidity pool (iBTC/aUSD) on Sunday.
This aUSD is also the native stablecoin for Kusama and Polkdadot blockchains. Hackers were able to exploit a misconfiguration in the iBTC/aUSD pool to carry out their actions. Early reports estimate a minting of 1.2 billion aUSD tokens from the Acala network without the appropriate collateral. Hence, the stablecoin lost its peg to trade at $0.01.
Acala recovered a vast portion of its uncollateralized tokens after freezing funds by putting its network in maintenance mode. However, the Acala community passed a proposal to identify and destroy the minted tokens. The community believes the move will enable the aUSD to reclaim its USD peg.
A community governance referendum has been proposed and passed. At block 1652829 in approx. 35 minutes, 1,292,860,248 total erroneously minted aUSD will be returned to the honzon protocol and will be burned.
Details in thread below:
— Acala (@AcalaNetwork) August 16, 2022
Reclaiming the peg
The network recovered 1,292,860,248 aUSD tokens from 16 accounts and has returned these tokens to the horizon protocol, where they would be burnt. Also, the network destroyed another 4,299,119 aUSD tokens. These tokens were also minted erroneously but left in the iBTC/aUSD reward pool. While the Acala community was still considering whether the network’s decision to freeze transactions was right, the aUSD reclaimed its USD peg within a short period.
The community played an important role in counteracting the effect of the exploit. It is worth noting that Acala hired the services of interlay over the matter because the exploit majorly affected the iBTC/aUSD pool. Interlay is a service that enables users to wrap bitcoin to iBTC and use it across various DeFi platforms.
Even though investigations about the incident are still ongoing, the current explanation is that an attacker minted massive amounts of aUSD due to a misconfiguration in the iBTC/aUSD liquidity pool. Hence, Acala feared the hacker would purchase iBTC using the illegally minted aUSD tokens and convert them to BTC.
If the attacker had done that, the Acala network wouldn’t have been able to recover the aUSD tokens or restore its USD peg. However, Alexei Zamyatin, interlay co-founder, revealed that the protocol wasn’t compromised in the incident even though it had direct exposure to the affected liquidity pools. Zamyatin confirms that all of interlay’s system remains fully operational.
Update on aUSD issue:
As far as our current investigation shows, *the Interlay parachain is NOT directly affected*
What we know so far: Thread 👇
— Interlay #iBTC (@InterlayHQ) August 14, 2022
Acala continues to update its incident trace report to offer newer details about the addresses that received the minted tokens. The latest update showed that 17 flagged liquidity provider addresses claimed over three billion minted aUSD tokens. Following the vote by the Acala community members, the network has burned about 1.29 billion aUSD tokens. However, a separate 1.6 billion minted tokens are still left with 16 addresses on the Acala para-chain.