Polkadot-based decentralized finance (DeFi) platform Acala’s native stablecoin, aUSD, depegged on Sunday, plummeting 99% after hackers exploited a bug in a newly deployed liquidity pool to mint 1.28 billion tokens.
Acala developers said the bug was caused by a misconfiguration of the iBTC/aUSD liquidity pool shortly after it went live on Sunday. A liquidity pool is a digital pile of cryptocurrency locked in a smart contract, which results in creating liquidity for faster transactions on decentralized exchanges (DEX) and DeFi protocols.
After noticing the exploit, the Acala team disabled the transfer functionality of the “erroneously minted aUSD” remaining on the Acala parachain. Parachains refer to custom, project-specific blockchains that are integrated within the Polkadot and Kusama networks and can be customized for any number of use cases.
On-chain sleuths have pointed out that the attacker who minted 1.28 billion aUSD was not the only person to take advantage of the bug – several other users allegedly stole thousands of dollars worth of DOT from the liquidity pool.
The Twitter account @alice_und_bob estimated that the "damage" was $0 to $10 million, "likely around 1.6M USD with chance of recovery."
Launched earlier this year, aUSD successfully held its soft peg to the U.S. dollar until the hack. After the attack, the price of aUSD plunged from roughly $1.03 per token to $0.009.
Acala developers said Sunday night that would continue to trace the on-chain activity to resolve the error mint of aUSD and try to restore aUSD peg.
Later on Monday, Acala community members created a proposal that would result in the return of all erroneously minted aUSD to the protocol and the tokens later being burnt.
Acala did not return requests for comments at press time.
UPDATE (Aug. 15, 07:41 UTC): Adds clarifying information throughout.
UPDATE (Aug. 15, 13:10 UTC): Adds details about the community proposal in the seventh bullet.
UPDATE (Aug. 15, 13:10 UTC): Adds estimate of damage from Twitter user @alice_und_bob.