High-profile security incidents continue to be a theme in 2022 as the Acala Network joined a long list of stricken platforms to fall prey to exploits.
Acala’s aUSD token, which acts as the native stablecoin for the Polkadot and Kusama blockchains, saw its value plummet 99% after a misconfiguration of the iBTC/aUSD liquidity pool was exploited after its launch on Aug. 14. Initial estimates from Acala noted that 1.2 billion aUSD were minted without the necessary collateral – seeing the token’s value depeg from its 1:1 USD ratio to a bottom of $.01.
Acala put its network in maintenance mode to freeze funds and eventually managed to recoup a significant portion of the uncollateralized tokens. The Acala community proposed and voted on a referendum to identify and destroy the erroneously minted tokens to return its USD peg to parity at $1.
A community governance referendum has been proposed and passed. At block 1652829 in approx. 35 minutes, 1,292,860,248 total erroneously minted aUSD will be returned to the honzon protocol and will be burned.
Details in thread below:
— Acala (@AcalaNetwork) August 16, 2022
1,288,561,129 aUSD minted on 16 specific accounts were returned to the network’s honzon protocol to be burnt. Another 4,299,119 erroneously minted aUSD remaining in the iBTC/aUSD reward pool were also destroyed.
While the cryptocurrency community considers whether the Acala Network took the right decision to essentially freeze its network, the stablecoin was able to be re-pegged in a short turnaround with the community playing its role in the chosen path to undo the exploit.
1/ We’re aware of the issue concerning the aUSD depeg, the iBTC / aUSD pool included.
Interlay is following Acala’s investigation into this issue and also looking to see if and in what manner iBTC and user’s funds are affected.
— Interlay #iBTC (@InterlayHQ) August 14, 2022
Interlay, a service that allows users to wrap Bitcoin to iBTC and then use it across decentralized finance (DeFi) platforms, was drawn into the situation as the iBTC/aUSD pool was chiefly affected by the exploit. Cointelegraph reached out to Interlay to ascertain the details of the incident and lessons to be taken forward. Acala, on the other hand, refused to comment.
While investigations are still ongoing, the theory is that the misconfiguration in the iBTC/aUSD allowed an attacker to mint an erroneous amount of aUSD. This then led to fears that the attacker would buy iBTC with the illicit aUSD tokens and convert that to BTC – which would have nullified the Acala Network’s ability to recoup the tokens and restore its peg.
Interlay co-founder Alexei Zamyatin told Cointelegraph that their protocol had not been compromised by the attack despite having direct exposure to the affected liquidity pools:
“Acala did use iBTC in the affected pools alongside other, non-Interlay assets, but the incident has not jeopardized Interlay as a network in any way. All system operations have been and remain fully functional.”
The company’s incident trace report is being constantly updated to provide more information regarding the 16 addresses that received erroneously minted rewards.
2nd batch trace results + summary below. A total 3.022B aUSD error mints were claimed by 16 addresses. Acala referendum #21 burned ~1.292B. 1.682B aUSD error mints in iBTC/aUSD LP tokens, obtained after the incident happened, remain on 16 Acala addresses. https://t.co/8MTBinhrVP
— Acala (@AcalaNetwork) August 17, 2022
According to the update, more than 3 billion aUSD were minted and claimed by the 17 flagged liquidity provider addresses. Following the Acala community referendum, some 1.29 billion were burnt while another 1.6 billion aUSD error mints remain on these 16 addresses on the Acala parachain.