Polkadot ecosystem’s stablecoin Acala ($aUSD) suffered an exploit over the weekend that led to a malicious actor minting $1.2 billion out of skinny air. The Acala crew “paused” operations through an emergency governance proposal to examine the problem.
On August 15, a governance proposal was submitted to “effectively burn” $1.288 billion aUSD following the discharge of an on-chain report from the Acala Council.
$1.2 billion of aUSD printed by a hacker in a single day and barely a peep in my timeline.
Things really feel extra bearish to me than the market is pricing at this specific second.
We’ve received loads of work to do. https://t.co/HE2MGlXk0d
— Mike 🌪️as (🏌️♂️, ⛳️) (@mdudas) August 14, 2022
Acala initially notified customers of the problem round 3 AM BST on August 14, stating that they have been working to “mitigate the issue.” The supply of the exploit was publicly reported by 1 PM BST on August 14, simply 10 hours later. The announcement confirmed that over 99% of the “erroneously minted aUSD [remained] on Acala parachain.”
We have recognized the problem as a misconfiguration of the iBTC/aUSD liquidity pool (which went stay earlier right now) that resulted in error mints of a big quantity of aUSD
— Acala (@AcalaNetwork) August 14, 2022
Within the Twitter thread that recognized the exploit’s trigger, Acala said that it had recognized the “wallet addresses that received the erroneously minted aUSD… with on-chain activity tracing” in progress.
The misconfiguration has since been rectified and pockets addresses that acquired the errorneously minted aUSD have been recognized, with on-chain exercise tracing in respect of these addresses underway
— Acala (@AcalaNetwork) August 14, 2022
Regarding the potential influence on the broader Polkadot ecosystem, Victor Young, the Founder and Chief Architect at Analog, commented that
“I still believe that Polkadot’s infrastructure is secure by design… the same cannot be said about Acala Network, an application-specific chain customized to power liquidity, economic activity, and stable coin utility on the platform.
In my view, we’ll continue to see more of these attacks because many dApp developers don’t put in the legwork when defining their code’s security properties. Even if the smart contract is audited, the code may not be foolproof.”
Governance framework and management
The Acala Network is committing to a neighborhood governance proposal to determine the decision to the incident. Currently, Acala has a Governance Council containing 5 addresses.
According to the Notion roadmap for Acala, “full democracy” continues to be within the “planning” part. The Phase 3 roadmap, which is sort of full, states:
“Decisions of the Acala Foundation regarding the network (runtime upgrade, improvements etc) are made transparent on-chain via voting by an appointed Acala General Council.”
Acala has additionally enabled a component of democracy “so that anyone can propose a referendum by depositing the minimum amount of tokens for a certain period.” However, “full democracy” is scheduled for Phase 4, which won’t be carried out till the under checkpoints have been met.
– All DeFi protocols are bootstrapped, working with excessive stability and safety for an affordable interval of time (to guarantee protocols are sound throughout extraordinarily market volatility.)
– The community has a adequate quantity of liquidity to energy the protocols, and the liquidity is sustainable.
– Sound and clear processes have been arrange for every DeFi protocol for steady Business-as-Usual (BAU) enhancements, e.g. including new buying and selling pairs or new collaterals.
– Expert councilors have been recognized reminiscent of Risk Assessor, Technical Assessor and so forth. to proceed guarantee the safety and security of the community and protocols.
– Acala EVM is sufficiently developed with production-grade performance and safety.
Therefore, in accordance to the present governance course of, the Acala Council nonetheless seems to retain outsized community management. While this might not be nice for the extent of decentralized nature of the protocol, it could help Acala in decision administration and “to resolve the error mint of aUSD & restore aUSD peg.”
Resolutions and options
To mitigate additional danger, Acala said that “parachain native tokens have been transfer disabled,” so cease inaccurate aUSD from leaving its native parachain and spreading contagion into the broader Polkadot ecosystem.
At the time of writing, aUSD is valued at $0.88 per token after it dropped to a low of $0.09. The peg seems to be between $0.90 and $0.80, nonetheless some 10% – 20% under its desired peg.
Acala posted an replace to the scenario on Monday morning, confirming the worth of minted aUSD as $1.288 billion. The tweet included a forum post detailing the “trace results.”
Incident hint report #1: This is the first revealed batch of hint outcomes. The 1.288B erroneously minted aUSD have been recognized and their transfers are disabled till a pending Acala neighborhood governance resolution resolves the error.
— Acala (@AcalaNetwork) August 15, 2022
The Acala crew confirmed that the knowledge can now be used to “verify on-chain data, & formulate proposals to resolve the error mint of aUSD.”
The particular trigger of the incident is timestamped within the discussion board submit.
“2022-08-13 22:41 UTC – iBTC/aUSD pool was enacted with misconfiguration and erroneous mint started.”
The “misconfiguration” led to the aUST being erroneously minted, and the funds have been despatched to a number of LP suppliers for the pool. These funds have been successfully frozen at current, as Acala confirmed:
“The swapped digital assets that remain on the Acala parachain, has since been transfer disabled pending the Acala community’s collective governance decision on resolution of the error minting.”
Since the replace was launched, a “Referenda” proposal has been submitted. The proposal has no “nay” votes as of press time — aiming to “effectively burn” the inaccurate aUSD by returning it to the Honzon protocol.
The proposal consists of the code required to transfer the funds to a pseudo-burn tackle and lists all of the addresses current in Acala’s findings.