Acala’s stablecoin falls by 95% as a result of an exploit

What’s new? On August 14, Acala, a DeFi platform, was subjected to a hacker attack, after which the stablecoin Acala Dollar (aUSD) lost its peg to the US dollar. The rate of stablecoin collapsed by 95%, from $1,02 to $0,05. As of August 15, 11:30 UTC, the value of the asset rose to $0,87, according to crypto exchange Binance.

We have noticed a configuration issue of the Honzon protocol which affects aUSD. We are passing an urgent vote to pause operations on Acala, while we investigate and mitigate the issue. We will report back as we return to normal network operation.— Acala (@AcalaNetwork) August 14, 2022

More details about the exploit. On August 14, the Acala team reported a problem with the Honzon protocol configuration affecting aUSD. It was decided to hold an urgent vote to suspend operations on Acala while the problem is investigated and resolved.

On the same day, developers determined that the problem was a misconfiguration of the iBTC/aUSD liquidity pool (which was launched on August 14), which allowed attackers to issue 1,27 billion of the project’s stablecoin, according to Watcher Guru. This amount represents more than 99% of the issued aUSD.

JUST IN: Hackers printed 1.2 billion $AUSD on the Acala Network through an exploit.— Watcher.Guru (@WatcherGuru) August 14, 2022

Developers identified the address of the wallet that received stablecoins. The ability to transfer them has been disabled.

Pending Acala community collective governance decision on resolution of the error minting, these errorneously minted aUSD remaining on Acala parachain along with these swapped Acala parachain native tokens have been transfer disabled.4/— Acala (@AcalaNetwork) August 14, 2022

Acala is a DeFi smart contract platform compatible with the Ethereum Virtual Machine (EVM) that operates as a Polkadot parachain. It has built-in decentralized finance protocols that application developers can use.

On August 9, hackers stole about 327 ETH (~$570 000 at the time of the hack) from the Curve.Finance DeFi protocol. Developers assured that the vulnerability was discovered and fixed. Citing investigative report results, they noted that the hack was due to DNS cache “poisoning.” Binance later froze the $450 000 stolen from Curve.