aUSD token loses dollar peg after hackers exploit vulnerability in the smart contract code
Another hack has hit DeFi and another stablecoin has fallen through the floor. But the attack on the Acala Network on August 14th has not resulted in millions of angry customers and a worthless token jangling in people’s wallets. Strong leadership appears to navigated this crisis well. And it’s a good example of decentralized decision-making at its best.
- As things stand, experts believe the hackers stole only $1.6 million in the attack.
- After hearing about the hack, the Acala leadership immediately halted swaps and transfers from the affected parachain.
- The aUSD stablecoin has recovered nearly all of its value after it fell by more than 99%. But Acala and its token are not necessarily out of the woods yet.
Acala is a Polkadot-based DeFi platform that launched its own aUSD stablecoin earlier this year. Following the hack, online blockchain detectives calculated the overall damage to be in the region of $1.6 million, not including the drop in the price of aUSD.
Though this figure is relatively low in the scheme of the DeFi market, the losses could have been much higher. And the effect it will have on people’s already-wavering confidence in stablecoins could have long-lasting consequences for the future of the technology.
Hackers found a bug in liquidity pool code
Acala announced that ‘a misconfiguration of the iBTC/aUSD liquidity pool (which went live on August 14) resulted in error mints of a significant amount of aUSD’. This means hackers identified a vulnerability in the code controlling the liquidity pool (LP) and used it to create 1.28 billion dollar-pegged stablecoins.
LPs are reservoirs of piled cryptocurrency locked away in smart contracts that make swapping tokens on decentralized exchanges (DEX), in this case aUSD and iBTC, a seamless process. Hackers found an error in these smart contracts, minted billions of new aUSD tokens, and then swapped them out for Acala’s native token ACA.
One single person, or group, unscrupulously minted nearly all of the 1.28 million aUSD before quickly swapping a small portion of it for ACA and four other tokens. A few copycats also took advantage of the vulnerability and each made off with between 80 million and 25,000 aUSD each.
Acala quickly put a stop to any more aUSD trading by putting the LP parachain into maintenance mode and disabling transfer functionality. Parachains are project-specific blockchains that connect to a blockchain mainnet. Holders of the ill-gotten aUSD effectively had billions of useless tokens in their wallets.
But this didn’t stop the price of aUSD from tanking. The value of the stablecoin dropped by more than 99%. It went from the $1.03 mark to $0.009, as tokens flooded the market with supply.
Fortunately for the Acala Network, its community and the price of its stablecoin, quick decisions were made and things are already on the road to recovery.
Acala responded quickly
Once the Acala team froze all activity trading in and out of the LP, they took the following actions to shore up their ecosystem:
- They traced on-chain activity to see which wallet the erroneously minted aUSD was transferred to.
- The team put forward a proposal to burn the aUSD created by the hackers. The community passed this governance referendum and 1,292,860,248 incorrectly minted tokens have been returned to source and burned.
This episode has presented us with the good and bad sides of decentralized finance. With billions of dollars worth of assets online, it only takes one person in the world to spot an error and accounts can be emptied of funds. Humans write smart contracts and computer, which makes them both liable to human error.
On the flip side, the self-governing community came together to make a decision that helped rescue the value of their investment.
Where are we now?
After tanking to nearly zero, the price of aUSD has recovered to just under $0.92. Clearly this is still some way off being properly pegged to the US dollar, but it’s also a much more positive price than it was yesterday.
Obvious concerns still exist, and the community will want to see Acala take more action to ensure this sort of thing cannot happen again. But the swift handling of the situation has helped renew confidence in the Acala leadership.
That Acala appears to have resolved the issue in less than 48 hours is a positive sign for the future of the network. It’s also a much-needed feel good story for DeFi and stablecoins after the Luna and Celsius crises rocked the industry this year.
There are still concerns though. People are now asking questions about the Polkadot network’s safety and security protocols. The issue of what true decentralization means has also reared its head again. If Acala can block asset swaps and transfers, is their network a fully distributed one? We will see how these conversations play out in time.