High-profile security incidents continue to be a theme in 2022 as the Acala Network joined a long list of stricken platforms to fall prey to exploits.
Acala’s aUSD token, which acts as the native stablecoin for the Polkadot and Kusama blockchains, saw its value plummet 99% after a misconfiguration of the iBTC/aUSD liquidity pool was exploited after its launch on Aug. 14. Initial estimates from Acala noted that 1.2 billion aUSD were minted without the necessary collateral - seeing the token’s value depeg from its 1:1 USD ratio to a bottom of $.01.
Acala put its network in maintenance mode to freeze funds and eventually managed to recoup a significant portion of the uncollateralized tokens. The Acala community proposed and voted on a referendum to identify and destroy the erroneously minted tokens to return its USD peg to parity at $1.
1,288,561,129 aUSD minted on 16 specific accounts were returned to the network’s honzon protocol to be burnt. Another 4,299,119 erroneously minted aUSD remaining in the iBTC/aUSD reward pool were also destroyed.
While the cryptocurrency community considers whether the Acala Network took the right decision to essentially freeze its network, the stablecoin was able to be re-pegged in a short turnaround with the community playing its role in the chosen path to undo the exploit.
Interlay, a service that allows users to wrap Bitcoin to iBTC and then use it across decentralized finance (DeFi) platforms, was drawn into the situation as the iBTC/aUSD pool was chiefly affected by the exploit. Cointelegraph reached out to Interlay to ascertain the details of the incident and lessons to be taken forward. Acala, on the other hand, refused to comment.
While investigations are still ongoing, the theory is that the misconfiguration in the iBTC/aUSD allowed an attacker to mint an erroneous amount of aUSD. This then led to fears that the attacker would buy iBTC with the illicit aUSD tokens and convert that to BTC - which would have nullified the Acala Network's ability to recoup the tokens and restore its peg.
Interlay co-founder Alexei Zamyatin told Cointelegraph that their protocol had not been compromised by the attack despite having direct exposure to the affected liquidity pools:
"Acala did use iBTC in the affected pools alongside other, non-Interlay assets, but the incident has not jeopardized Interlay as a network in any way. All system operations have been and remain fully functional."
The company's incident trace report is being constantly updated to provide more information regarding the 16 addresses that received erroneously minted rewards.
According to the update, more than 3 billion aUSD were minted and claimed by the 17 flagged liquidity provider addresses. Following the Acala community referendum, some 1.29 billion were burnt while another 1.6 billion aUSD error mints remain on these 16 addresses on the Acala parachain.