2 years ago
Polkadot ecosystem’s stablecoin Acala ($aUSD) suffered an exploit implicit the play that led to a malicious histrion minting $1.2 cardinal retired of bladed air. The Acala squad “paused” operations via an exigency governance connection to analyse the issue.
On August 15, a governance proposal was submitted to “effectively burn” $1.288 cardinal aUSD pursuing the merchandise of an on-chain study from the Acala Council.
$1.2 cardinal of aUSD printed by a hacker overnight and hardly a peep successful my timeline.
Things consciousness much bearish to maine than the marketplace is pricing astatine this peculiar moment.
We’ve got a batch of enactment to do. https://t.co/HE2MGlXk0d
— Mike 
as (
, 
) (@mdudas) August 14, 2022
Acala initially notified users of the contented astir 3 AM BST connected August 14, stating that they were moving to “mitigate the issue.” The root of the exploit was publically reported by 1 PM BST connected August 14, conscionable 10 hours later. The announcement confirmed that implicit 99% of the “erroneously minted aUSD [remained] connected Acala parachain.”
We person identified the contented arsenic a misconfiguration of the iBTC/aUSD liquidity excavation (which went unrecorded earlier today) that resulted successful mistake mints of a important magnitude of aUSD
1/
— Acala (@AcalaNetwork) August 14, 2022
Within the Twitter thread that identified the exploit’s cause, Acala stated that it had identified the “wallet addresses that received the erroneously minted aUSD… with on-chain enactment tracing” successful progress.
The misconfiguration has since been rectified and wallet addresses that received the errorneously minted aUSD person been identified, with on-chain enactment tracing successful respect of these addresses underway
2/
— Acala (@AcalaNetwork) August 14, 2022
Regarding the imaginable interaction connected the broader Polkadot ecosystem, Victor Young, the Founder and Chief Architect astatine Analog, commented that
“I inactive judge that Polkadot’s infrastructure is unafraid by design… the aforesaid cannot beryllium said astir Acala Network, an application-specific concatenation customized to powerfulness liquidity, economical activity, and unchangeable coin inferior connected the platform.
In my view, we’ll proceed to spot much of these attacks due to the fact that galore dApp developers don’t enactment successful the legwork erstwhile defining their code’s information properties. Even if the astute declaration is audited, the codification whitethorn not beryllium foolproof.”
Governance model and leadership
The Acala Network is committing to a assemblage governance connection to determine the solution to the incident. Currently, Acala has a Governance Council containing 5 addresses.
According to the Notion roadmap for Acala, “full democracy” is inactive successful the “planning” phase. The Phase 3 roadmap, which is astir complete, states:
“Decisions of the Acala Foundation regarding the web (runtime upgrade, improvements etc) are made transparent on-chain via voting by an appointed Acala General Council.”
Acala has besides enabled an constituent of ideology “so that anyone tin suggest a referendum by depositing the minimum magnitude of tokens for a definite period.” However, “full democracy” is scheduled for Phase 4, which volition not beryllium implemented until the beneath checkpoints person been met.
– All DeFi protocols are bootstrapped, moving with precocious stableness and information for a tenable play of clip (to guarantee protocols are dependable during highly marketplace volatility.)
– The web has a capable magnitude of liquidity to powerfulness the protocols, and the liquidity is sustainable.
– Sound and transparent processes person been acceptable up for each DeFi protocol for continuous Business-as-Usual (BAU) improvements, e.g. adding caller trading pairs oregon caller collaterals.
– Expert councilors person been identified specified arsenic Risk Assessor, Technical Assessor etc. to proceed guarantee the information and information of the web and protocols.
– Acala EVM is sufficiently developed with production-grade functionality and security.
Therefore, according to the existent governance process, the Acala Council inactive appears to clasp outsized web control. While this whitethorn not beryllium large for the level of decentralized quality of the protocol, it whitethorn assistance Acala successful solution absorption and “to resoluteness the mistake mint of aUSD & reconstruct aUSD peg.”
Resolutions and solutions
To mitigate further risk, Acala stated that “parachain autochthonal tokens person been transportation disabled,” truthful halt erroneous aUSD from leaving its autochthonal parachain and spreading contagion into the broader Polkadot ecosystem.
At the clip of writing, aUSD is valued astatine $0.88 per token aft it dropped to a debased of $0.09. The peg appears to beryllium betwixt $0.90 and $0.80, inactive immoderate 10% – 20% beneath its desired peg.
Source: TradingViewAcala posted an update to the concern connected Monday morning, confirming the worth of minted aUSD arsenic $1.288 billion. The tweet included a forum post detailing the “trace results.”
Incident hint study #1: This is the 1st published batch of hint results. The 1.288B erroneously minted aUSD person been identified and their transfers are disabled until a pending Acala assemblage governance determination resolves the error.
Thread below:https://t.co/KazsYLxzqK
— Acala (@AcalaNetwork) August 15, 2022
The Acala squad confirmed that the accusation tin present beryllium utilized to “verify on-chain data, & formulate proposals to resoluteness the mistake mint of aUSD.”
The circumstantial origin of the incidental is timestamped successful the forum post.
“2022-08-13 22:41 UTC – iBTC/aUSD excavation was enacted with misconfiguration and erroneous mint started.”
The “misconfiguration” led to the aUST being erroneously minted, and the funds were sent to respective LP providers for the pool. These funds person been efficaciously frozen astatine present, arsenic Acala confirmed:
“The swapped integer assets that stay connected the Acala parachain, has since been transportation disabled pending the Acala community’s corporate governance determination connected solution of the mistake minting.”
Since the update was released, a “Referenda” proposal has been submitted. The proposal has nary “nay” votes arsenic of property clip — aiming to “effectively burn” the erroneous aUSD by returning it to the Honzon protocol.
The connection includes the codification required to determination the funds to a pseudo-burn code and lists each the addresses contiguous successful Acala’s findings.
The station Acala submits governance connection to pain $1.28B aUSD pursuing probe of exploit appeared archetypal connected CryptoSlate.
English (US) 