Acala Network’s aUSD Stablecoin Falls 99% After Exploit

  • A bug in Acala Network’s newly launched iBTC/aUSD liquidity pool allowed an attacker to mint close to 1.3 billion aUSD tokens, causing its price to drop by 99%.
  • The protocol’s team quickly put the network in maintenance mode, freezing the funds in the attacker’s wallet, and is now discussing ways to restore aUSD’s peg to the U.S. dollar.
hacked

Shutterstock

The native stablecoin of decentralized finance (DeFi) platform Acala Network, aUSD, dropped in price by 99% after an attacker exploited a bug in a newly launched liquidity pool and minted almost 1.3 billion tokens.

The Acala team revealed on 14 August that there was a configuration issue with the Honzon protocol that affected aUSD, and that they were “passing an urgent vote to pause operations on Acala” while the issue was investigated. The move has paused several features — such as token swaps, xcm, oracle pallet price feeds, and other — until further notice.

Shortly after, Acala noted that a hacker had taken advantage of a bug on the newly launched iBTC/aUSD liquidity pool, with blockchain data showing he was able to mint close to 1.3 billion aUSD tokens without collateral, which caused the price of the stablecoin to crash by 99%.

The Acala team has already confirmed that the bug had been fixed and the wallet addresses connected to the attack identified. Preliminary on-chain tracing has shown that 99% of the “erroneously minted aUSD” have remained on the Acala parachain, and that only a small portion of the tokens have been swapped for ACA and other tokens on the Acala parachain.

The team behind the project has already shared an incident trace report with the community as to “facilitate formulation of community proposal & decision making” to resolve the issue, and restore aUSD’s peg to the U.S. dollar.

Discussion
Related Coverage
Acala Recovers Majority of Erroneously Minted Tokens
  • The platform has so far recovered around 2.97 billion aUSD tokens from the 16 addresses that exploited a bug in its smart contracts.
  • The recovery was possible as 99% of the stablecoin’s “error mints” remained on Acala’s Polkadot parachain after the network was put in maintenance mode.
August 18, 2022, 11:22 AM
recovery

Shutterstock

Curve Finance Finds and Resolves Site Exploit
  • The DeFi platform told its users it had “found and reverted” a frontend exploit only an hour after it was first reported.
  • The attacker apparently used a DNS spoofing attack to clone curve.fi’s website, and redirect the DNS points to his IP address.
Slope Wallet Likely Tied to Solana’s Exploit
  • Solana developers claimed an investigation found no evidence that the protocol or its cryptography were compromised in the widespread exploit.
  • The investigation, however, discovered that the affected wallets were either “created, imported, or used” in Slope’s mobile app at one point in time.