Polkadot: Acala’s iBTC/aUSD Liquidity Pool Bug Exploited by Hackers

Polkadot: Acala’s iBTC/aUSD Liquidity Pool Bug Exploited by Hackers

Hackers have exploited a loophole in Acala’s newly-created iBTC/aUSD liquidity pool to steal millions of dollars worth of tokens on August 14, 2022, forcing the aUSD stablecoin to lose its peg with the USD. The Acala team has since disabled the token transfer feature on the platform, amidst mixed reactions and criticisms from proponents of decentralization.

Polkadot’s Acala DeFi Platform Exploited

Acala Network, the decentralized finance (DeFi) hub of the Polkadot ecosystem, is the latest blockchain protocol to get exploited by bad actors. 

On August 14, 2022, the Acala team took to Twitter to reveal that it had discovered a configuration bug in its Honzon protocol and was making plans to fix the issue.

“We have noticed a configuration issue of the Honzon protocol which affects aUSD. We are passing an urgent vote to pause operations on Acala, while we investigate and mitigate the issue. We will report back as we return to normal network operation,” tweeted Acala

However, the Acala team failed to tackle the issue on time, as several hackers have taken advantage of the loophole to steal at least 1 billion aUSD, which is the native stablecoin of the Acala Network. 

According to a tweet by @alice_und_bob, several users of the Acala protocol profited from the situation, with some bots successfully transferring a few of the erroneously minted aUSD out of Acala. 

“While all the attention was on the one user who minted 1.2 billion $aUSD, at the same time, a handful of other users exploited the situation by (a) sending $aUSD to Moonbeam, (b)swapping for $DOT and sending it to Polkadot © swapping for $iBTC and sending it to Interlay,” he noted.

The attack has made the aUSD stablecoin lose its peg with the U.S. dollar, trading at $0.009 at the time of writing.

aUSD Transfers Halted

Per an update released by the Acala team on August 15, 2022, it has successfully identified the wallets holding a total of 1.288 billion ‘erroneously’ minted aUSD stablecoins and has disabled the token transfer function “until a pending Acala community governance decision resolves the error.”  

Acala has urged its community members to use the entire information from the exploit to formulate governance proposals to resolve the issue, while also making it clear that it’s collaborating with its “partners and contributors to trace outflows of erroneously minted aUSD related transactions.”

The team has urged recipients of the erroneously minted aUSD, as well as those who swapped the stablecoin for other tokens to return the funds to these addresses below: 

Polkadot (DOT): 13YMK2eYoAvStnzReuxBjMrAvPXmmdsURwZvc62PrdXimbNy

Moonbeam: 0x7369626cd0070000000000000000000000000000

Indeed, this incident has once again highlighted the importance of thorough auditing and testing before launching DeFi solutions. Hacks and heists continue to be a major drawback for blockchain protocols and the industry will only see complete mainstream adoption if these scenarios become a thing of the past.

At press time, Polkadot’s native DOT token is the 11th-largest cryptocurrency in the world. The price of DOT is hovering around $8.88, with a market cap of $9.80 billion.

Ogwu Osaemezu Emmanuel

Ogwu Osaemezu Emmanuel is a graduate of Mass Communication and Media Studies. He joined the blockchain movement in 2016 when a friend of his introduced him to an investment platform accepting bitcoin. He has never looked back since then. Emmanuel believes the world needs real change and freedom from poverty. He sees crypto and the underlying distributed ledger technology as the catalyst to a better future for all.