Network and token freeze after Acala exploit raises questions

Published at: Aug. 15, 2022

The Acala Network’s aUSD stablecoin depegged by over 99% over the weekend and forced the Acala team to pause a hacker’s wallet, raising concerns about its claim of being decentralized.

On Aug. 14, a hacker took advantage of a bug on the iBTC/aUSD liquidity pool which resulted in 1.2 billion aUSD being minted without collateral. This event crashed the USD-pegged stablecoin to a cent, and in response, the Acala team froze the erroneously minted tokens by placing the network in maintenance mode.

The move also halted other features such as swaps, xcm (cross-chain communications on Polkadot), and the oracle pallet price feeds until “further notice”

We have identified the issue as a misconfiguration of the iBTC/aUSD liquidity pool (which went live earlier today) that resulted in error mints of a significant amount of aUSD1/

— Acala (@AcalaNetwork) August 14, 2022

While the move to put the network in maintenance mode and freeze funds in the hacker’s wallet may have been meant to protect users and the network from any further harm, proponents of decentralization have cried foul.

Acala is a cross-chain decentralized finance (DeFi) hub that issues the aUSD stablecoin based on the Polkadot (DOT) blockchain. aUSD is a crypto-backed stablecoin which Acala claims is censorship-resistant. iBTC is a form of wrapped Bitcoin (BTC) which can be used in DeFi protocols.

Community members have noted the irony of Acala’s claims about aUSD’s censorship-resistance since the protocol froze funds so swiftly. Twitter user Gr33nHatt3R.dot pointed out on Aug. 14 that decisions "would have to go to governance to be 'decentralized' finance."

“If Acala centrally controls that decision is this really DeFi?”

A member of the project’s Discord channel usafmike proposed rolling back the chain to reverse the token mints altogether, but was challenged by skylordafk.dot, another member who said such an action would “set a harmful precedent.”

As of the time of writing, the network was still in maintenance mode to block all token transfers, but the team confirmed that the bug had been fixed. The wallets that received erroneously minted aUSD have been identified, and 99% of them were still on Acala which leaves the possibility that they may be retrieved by the community if it votes to do so.

Related: Binance recovers the majority of funds stolen from Curve Finance

The Acala exploit is the second major one in a week as Curve Finance (CRV) experienced an attack on its front end on Aug. 9 which directed users to approve a malicious contract. Acala’s problem differs from Curve’s as the latter’s pools were not compromised as users who directly interacted with its smart contracts experienced no issues.

aUSD is the latest stablecoin to lose its peg in the past few months, starting notoriously with Terra USD (UST) in May, which has since been renamed to Terra Classic USD (USTC). Other notable depegs include Tether (USDT) and Dei (DEI).

Tags
Related Posts
Furucombo to issue iouCOMBO tokens to repay victims of $15M exploit
Decentralized finance transaction combination tool Furucombo will compensate the victims of a recent “evil contract” exploit that cost the protocol $15 million in stolen funds. Following an internal call with affected users last week, Furucombo released a compensation plan Tuesday, announcing that they will issue 5 million iouCOMBO tokens to the victims of the breach. Issued in the form of ERC-20 tokens, iouCOMBO tokens will represent the rights to claim Furucombo’s COMBO tokens in the recovery pool. Out of a total of 100 million COMBO tokens, 5 million coins have been allocated to the recovery pool, and are subject to …
Technology / March 9, 2021
Yearn.Finance puts expanded treasury to use by repaying victims of $11M hack
Major decentralized finance protocol Yearn.Finance (YFI) has restored its yDAI vault in the aftermath of a $11 million exploit by hackers. Yearn announced Tuesday that they opened a Maker vault with YFI tokens from the treasury and minted 9.7 million DAI tokens from the vault to keep the yDAI vault intact. Using borrowed money allows the project to reimburse users without taking a hit to the treasury, either due to possible YFI appreciation or by gradually repaying the debt with protocol revenue. The team said that this is a one-off occurrence, as they expect users to hedge their own risks …
Technology / Feb. 9, 2021
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
Rari Fuze hacker offered $10M bounty by Fei Protocol to return $80M loot
Decentralized finance (DeFi) platform Fei Protocol offered a $10 million bounty to hackers in an attempt to negotiate and retrieve a major chunk of the stolen funds from various Rari Fuse pools worth $79,348,385.61 — nearly $80 million. On Saturday, Fei Protocol informed its investors about an exploit across numerous Rari Capital Fuse pools while requesting the hackers to return the stolen funds against a $10 million bounty and a “no questions asked” commitment. We are aware of an exploit on various Rari Fuse pools. We have identified the root cause and paused all borrowing to mitigate further damage. To …
Blockchain / May 1, 2022
Lodestar Finance exploited in flash loan attack
Arbitrum-based lending protocol Lodestar Finance was exploited in a flash loan attack on Dec. 10. According to Lodestar, the attacker manipulated the price of the plvGLP token before borrowing all platform liquidity using the inflated token. In a Twitter thread, Lodestar explained the attack flow. The attacker first manipulated the exchange rate of the plvGLP contract to 1.83 GLP per plvGLP, "an exploit that by itself would be unprofitable", said the company. Then, the attacker supplied plvGLP collateral to Lodestar and borrowed all available liquidity, cashing out part of the funds "until the collateralization ratio mechanism prevented a full liquidation …
Altcoin / Dec. 11, 2022