Hacker leverages Acala bug, issues 1.28 billion faulty aUSD coins

The Trust Project is a worldwide group of news organizations working to establish transparency standards.

aUSD. Image by sockur

At least one hacker exploited a bug in the liquidity pool supporting the Acala Network’s aUSD stablecoin, minting 1.28 billion coins without collateral and forcing the cryptocurrency off its dollar peg for a beat. Developers behind the native cryptocurrency driving DeFi on Polkadot and its sandbox Kusama acted fast to save their stablecoin, though not without raising a few eyebrows.

At the situation’s most dire on Sunday, the value of aUSD plummeted to $0.0099. Now, the coin has almost fully recovered–trading just over $0.96 at the time of writing. 

“0xTaylor_ first noticed the attack and tweeted that the hacker exploited a bug in the iBTC/AUSD pool,” Be In Crypto reported on August 14. “The hacker linked an Ethereum account to Acala, and the address was funded from Binance.” 

Independent detectives exposed that several additional users leveraged the bug to ransack thousands of dollars in DOT from the liquidity pool. Acala took to Twitter, quickly acknowledging the issue.

“Based on preliminary on-chain tracing, 99%+ of the erroneously minted aUSD remain on Acala parachain,” they wrote, “with a small proportion of erroneously minted aUSD being swapped for ACA and other tokens on Acala parachain.” They traced the bulk of faulty coins to this wallet. On Twitter, Acala requested the assistance of white hat, or ethical, hackers. 

Acala responded to the emergency by sending their network into maintenance mode and pausing the purported hacker’s wallet. They also halted features “such as swaps, xcm (cross-chain communications on Polkadot), and the oracle pallet price feeds until ‘further notice,’” per Cointelegraph

When Acala launched aUSD in February 2022, they touted the currency’s reliability and censorship resistance. The coin has maintained its soft dollar peg since the start, but Twitter user Gr33nHatt3R.dot scrutinized Acala’s decision to shut down and freeze accounts following the exploit.

“If Acala centrally controls that decision, is this really DeFi?”

This morning, Alcala took it to governance, issuing a proposal to “help resolve the error mint, restore aUSD peg, and resume Acala operations.” Community members are voting whether the 16 accounts that 1.28 billion coins have been traced to should return the crypto to be burnt and whether the crypto left in the pool should blaze too. 

The discussion has been light and in mostly good spirits–some members even thanked the team for their diligent effort. “We will come out this stronger all while showing to the world the value of on-chain governance,” xiacachen wrote. Others, though fewer, expressed frustrations. 

“I’m very disappointed with how Acala team failed to ask people not to buy and trade fake-minted aUSD and didn’t ask Kucoin to stop trading aUSD,” wrote Sharpy. “Also, ability to ever print aUSD money from anything other than collateral should be removed forever.” 

Via Acala.

Ringleader bette7 wrote back: “Deposit & withdraw of aUSD has already been stopped by Kucoin, and they are unable to stop aUSD trading.” Regarding the bug, they added, “this was a well-intended feature that introduced a loop-hole allowing misconfig to exploit the system. we will add an additional failover mechanism as well, as no code would be perfect, and error would always exist; this is also way we implemented the ability to pause specific operations on-chain.”

Acala’s hack arrives just two days after founder Bryan Chen talked with Benzinga about a Solana wallet hack. “This is a private key leaking issue instead of a smart contract or protocol bug,” Chen said of Solana. The Acala exploit two days later was a smart contract bug. 

In Benzinga, Chen extolled the value of open source code, which allows “everyone, including security researchers and users, to examine the application’s source code to check if it is secure.” 

But while the Acala crisis raged, Analog founder Victor Young told Cryptopotato: “Even if the smart contract is audited, the code may not be foolproof. In this regard, developers and QA experts need to continuously evaluate to ensure the code achieves its objectives.”

The Acala bug may have been a hiccup, but extra eyes are always best.

“People need to question any closed source project that is claiming to be decentralized because that’s simply impossible,” Chen continued. 

Interestingly, Acala’s own ethical commitment to decentralization has come into question so quickly. Their episode unfolded shortly after the Curve Financial attack on August 9–which Binance has nearly recovered all funds from–and the DAI destabilization instigated by Tornado Cash sanction on August 8. 

Someone check the on the moon because this seems like a celestial do or die time for central questions underpinning DeFi.

Read related posts:


Any data, text, or other content on this page is provided as general market information and not as investment advice. Past performance is not necessarily an indicator of future results.

Vittoria Benzine

Vittoria Benzine is a Brooklyn-based art writer and personal essayist covering contemporary art with a focus on human contexts, counterculture, and chaos magic. She contributes to Maxim, Hyperallergic, Brooklyn Magazine, and more.

Follow Author

More Articles
© Metaverse Post 2022