Network and token freeze after Acala exploit raises questions
The Acala Network’s aUSD stablecoin depegged by over 99% over the weekend and forced the Acala team to pause a hacker’s wallet, raising concerns about its claim of being decentralized.
On Aug. 14, a hacker took advantage of a bug on the iBTC/aUSD liquidity pool which resulted in 1.2 billion aUSD being minted without collateral. This event crashed the USD-pegged stablecoin to a cent, and in response, the Acala team froze the erroneously minted tokens by placing the network in maintenance mode.
The move also halted other features such as swaps, xcm (cross-chain communications on Polkadot), and the oracle pallet price feeds until “further notice”
We have identified the issue as a misconfiguration of the iBTC/aUSD liquidity pool (which went live earlier today) that resulted in error mints of a significant amount of aUSD
— Acala (@AcalaNetwork) August 14, 2022
While the move to put the network in maintenance mode and freeze funds in the hacker’s wallet may have been meant to protect users and the network from any further harm, proponents of decentralization have cried foul.
Acala is a cross-chain decentralized finance (DeFi) hub that issues the aUSD stablecoin based on the Polkadot (DOT) blockchain. aUSD is a crypto-backed stablecoin which Acala claims is censorship-resistant. iBTC is a form of wrapped Bitcoin (BTC) which can be used in DeFi protocols.
Community members have noted the irony of Acala’s claims about aUSD’s censorship-resistance since the protocol froze funds so swiftly. Twitter user Gr33nHatt3R.dot pointed out on Aug. 14 that decisions “would have to go to governance to be ‘decentralized’ finance.”
“If Acala centrally controls that decision is this really DeFi?”
A member of the project’s Discord channel usafmike proposed rolling back the chain to reverse the token mints altogether, but was challenged by skylordafk.dot, another member who said such an action would “set a harmful precedent.”
As of the time of writing, the network was still in maintenance mode to block all token transfers, but the team confirmed that the bug had been fixed. The wallets that received erroneously minted aUSD have been identified, and 99% of them were still on Acala which leaves the possibility that they may be retrieved by the community if it votes to do so.
The Acala exploit is the second major one in a week as Curve Finance (CRV) experienced an attack on its front end on Aug. 9 which directed users to approve a malicious contract. Acala’s problem differs from Curve’s as the latter’s pools were not compromised as users who directly interacted with its smart contracts experienced no issues.
aUSD is the latest stablecoin to lose its peg in the past few months, starting notoriously with Terra USD (UST) in May, which has since been renamed to Terra Classic USD (USTC). Other notable depegs include Tether (USDT) and Dei (DEI).