Acala Stablecoin aUSD Collapses After Parachain Exploit
Acala Network’s native stablecoin, aUSD, collapsed to zero on Sunday after hackers exploited a bug in a newly deployed liquidity pool to mint over 1.28 billion tokens out of thin air.
- On Sunday, Polkadot's DeFi Hub Acala Network suffered an exploit that saw its native over-collateralized stablecoin aUSD plummet to zero.
- The exploit was due to a "misconfiguration" issue in the newly launched iBTC/aUSD liquidity pool that allowed users to mint unlimited aUSD from thin air.
- After the incident, Acala immediately halted swaps and cross-chain transfers, leaving the exploiters stuck with around 99% of the erroneously minted aUSD on the parachain.
Share this article
Acala quickly put the network in maintenance mode, pausing on-chain swaps, Polkadot cross-chain communications, and oracle price feeds to keep the stolen funds from leaving the parachain.
Acala USD Depegs
Acala Network’s native stablecoin, Acala USD (aUSD), has collapsed to zero.
We have identified the issue as a misconfiguration of the iBTC/aUSD liquidity pool (which went live earlier today) that resulted in error mints of a significant amount of aUSD
— Acala (@AcalaNetwork) August 14, 2022
On Sunday, Polkadot’s decentralized finance hub, Acala Network, suffered a severe exploit that saw its native stablecoin aUSD collapse from its targeted $1 peg to effectively zero. “We have identified the issue as a misconfiguration of the iBTC/aUSD liquidity pool (which went live earlier today) that resulted in error mints of a significant amount of aUSD,” Acala said yesterday on Twitter.
According to on-chain data, one hacker erroneously minted around 1.28 billion aUSD tokens and then swapped a small fraction for Acala’s native token ACA and four other tokens. Shortly after the incident, Acala put the parachain in maintenance mode and paused swaps, cross-chain transactions, and oracle price feeds, leaving the hacker stranded with around 1.27 billion worthless aUSD tokens on the network.
The on-chain data also revealed that several other users mimicked the original hacker and exploited the bug for themselves, minting between 80 million to 25,000 aUSD each and stealing thousands of dollars from the liquidity pool. The total sum of the stolen funds is estimated to be less than $10 million, not counting the value lost in aUSD’s depeg.
Acala Network is an Ethereum-compatible Polkadot parachain—a modular and customizable independent chain built atop the Polkadot Relay Chain—that has self-branded as a specialized decentralized finance hub for Web3. Its ecosystem is centered around the MakerDAO-inspired, over-collateralized stablecoin Acala USD.
In March, Acala teamed up with Polkadot parachains to launch a $250 million ecosystem fund to support builders driving demand for aUSD. However, yesterday’s incident, which saw the stablecoin collapse to virtually zero, has raised serious concerns about the parachain’s path forward in the community.
Almost 24 hours after the incident, most Acala network functions are frozen, with few updates from the project concerning its next steps. Following the news, the network’s native token, ACA, fell by around 7%, from around $0.29 to $0.26.
Disclosure: At the time of writing, the author of this piece owned ETH and several other cryptocurrencies.