DeFi Platform Acala’s Stablecoin Falls 99% After Hackers Issue 1.3B Tokens

Polkadot-based decentralized finance (DeFi) platform Acala’s native stablecoin, aUSD, depegged on Sunday, plummeting 99% after hackers exploited a bug in a newly deployed liquidity pool to mint 1.28 billion tokens.

• Acala developers said the bug was caused by a misconfiguration of the iBTC/aUSD liquidity pool shortly after it went live on Sunday. A liquidity pool is a digital pile of cryptocurrency locked in a smart contract, which results in creating liquidity for faster transactions on decentralized exchanges (DEX) and DeFi protocols.
• After noticing the exploit, the Acala team disabled the transfer functionality of the “erroneously minted aUSD” remaining on the Acala parachain. Parachains refer to custom, project-specific blockchains that are integrated within the Polkadot and Kusama networks and can be customized for any number of use cases.
• A wallet believed to belong to the attacker still contains approximately 1.27 billion aUSD. Acala has asked white-hat hackers to return the stolen funds to Polkadot or Moonbeam addresses.
• On-chain sleuths have pointed out that the attacker who minted 1.28 billion aUSD was not the only person to take advantage of the bug – several other users allegedly stole thousands of dollars worth of DOT from the liquidity pool.
• The Twitter account @alice_und_bob estimated that the "damage" was $0 to $10 million, "likely around 1.6M USD with chance of recovery."
• Launched earlier this year, aUSD successfully held its soft peg to the U.S. dollar until the hack. After the attack, the price of aUSD plunged from roughly $1.03 per token to $0.009.
• Acala developers said Sunday night that would continue to trace the on-chain activity to resolve the error mint of aUSD and try to restore aUSD peg.
• Later on Monday, Acala community members created a proposal that would result in the return of all erroneously minted aUSD to the protocol and the tokens later being burnt.
• Acala did not return requests for comments at press time.

Read more: Acala, VCs Commit $250M for Polkadot DeFi Investments

Read more: Polkadot-Based Acala Raises $7M as DeFi Grabs Land on Another Blockchain

UPDATE (Aug. 15, 07:41 UTC): Adds clarifying information throughout.

UPDATE (Aug. 15, 13:10 UTC): Adds details about the community proposal in the seventh bullet.

UPDATE (Aug. 15, 13:10 UTC): Adds estimate of damage from Twitter user @alice_und_bob.