The Polkadot ecosystem stablecoin Acala ($aUSD) was exploited over the weekend, allowing malicious actors to mint $1.2 billion out of thin air. The Acala team has “suspended” operations through an urgent governance proposal to investigate this issue.
August 15, Governance proposal was filed to “effectively burn” US$1.288 billion following the release of an on-chain report from the Acala Council.
$1.2 billion of aUSD was printed overnight by hackers and my timeline has few peeps.
Things feel more bearish to me than the market is pricing at this particular moment.
We have a lot to do. https://t.co/HE2MGlXk0d
— Mike 🌪️as (🏌️♂️, ⛳️) (@mdudas) August 14, 2022
Acala initially notified users of the issue around 3am on August 14th and said it was working to “mitigate the issue.”Exploit source was public report Just 10 hours later, by 1pm BST on August 14th.The announcement states that “more than 99% of mis-minted aUSD [remained] With Fudo Myoo’s parachain.
We have identified the issue as a misconfiguration of the iBTC/aUSD liquidity pool (launched today), resulting in a large number of aUSD error mints.
— Acala (@AcalaNetwork) August 14, 2022
In the Twitter thread that identified the cause of the exploit, Acala said it had identified an ongoing “wallet address that received erroneously crafted aUSD…on-chain activity tracking.”
The misconfiguration has since been corrected, the wallet addresses that received the erroneously created aUSD have been identified, and tracking of on-chain activity for these addresses is ongoing.
— Acala (@AcalaNetwork) August 14, 2022
Commenting on the potential impact on the broader Polkadot ecosystem, Analog Founder and Chief Architect Victor Young said:
“We still believe Polkadot’s infrastructure is secure by design… About the Acala Network, an application-specific chain customized to power liquidity, economic activity, and stable coin utility on our platform.” cannot say the same.
In my view, these attacks will continue to increase as many dApp developers have not stepped in when it comes to defining the security properties of their code. Even if the smart contract is audited, the code may not be secure. “
Governance framework and leadership
Acala Network is working on a community governance proposal to determine the resolution of incidents. Acala currently has a Governance Council with five addresses.
according to Concept roadmap For Fudo Myoo, “perfect democracy” is still in the “planning” stage. The nearly completed Phase 3 roadmap states:
“Acala Foundation decisions regarding the network (runtime upgrades, improvements, etc.) will be made transparent on-chain through voting by the appointed Acala General Council.”
Acala also enabled elements of democracy. He said it was “so that anyone can propose a referendum by depositing a minimum amount of tokens for a period of time.” However, “Full Democracy” is scheduled for Phase 4 and will not be implemented until the following checkpoints are met.
– All DeFi protocols are bootstrapped and run for a reasonable period of time with high stability and security (to ensure that the protocols are healthy when the market is highly volatile).
– There is a sufficient amount of liquidity in the network to power the protocol, and the liquidity is sustainable.
– Sound and transparent processes are in place for each DeFi protocol for continuous business as usual (BAU) improvements, such as adding new trading pairs and new collateral.
– Professional councilors such as risk assessors, technical assessors, etc. have been identified to continue to ensure the security and safety of the network and protocols.
– Acala EVM is well-developed with production-grade features and security.
Therefore, according to the current governance process, the Acala Council still appears to retain a great deal of control over the network. This may not be optimal for the level of decentralized nature of the protocol, but could be useful for Acala’s resolution management and “resolve USD error mints and restore USD pegs” .
solution and solution
To further mitigate risk, Acala states that “parachain native token transfers have been disabled” so that erroneous aUSD could leave the native parachain and spread contagion to the broader Polkadot ecosystem. do not.
At the time of writing, aUSD is valued at $0.88 per token after dropping to a low of $0.09. The peg appears to be between $0.90 and $0.80, but is still 10% to 20% below the desired peg.
Acala posted an update on the situation on Monday morning, confirming that the minted aUSD is worth $1.288 billion. in the tweet, forum post Details in “Trace Results”.
Incident Trace Report #1: This is the first published batch of trace results. The incorrectly minted $1.288 billion aUSD has been identified and its transfers will be void until the error is resolved by a pending Acala community governance decision.
— Acala (@AcalaNetwork) August 15, 2022
The Acala team confirmed that the information can be used to “verify on-chain data and formulate proposals to resolve USD error mints.”
The specific cause of the incident is time-stamped in the forum post.
“2022-08-13 22:41 UTC – The iBTC/aUSD pool was enacted with the wrong composition and started the wrong mint. “
Due to a “misconfiguration”, AUST was created incorrectly and funds were sent to multiple LP providers for pooling. As Acala confirmed, these funds are now effectively frozen.
“Swapped digital assets remaining on the Acala parachain have since been disabled for transfer pending a co-government decision of the Acala community regarding the resolution of the error minting.”
Since the update was released, the “referrer” suggestion Submitted.of suggestion There are no “against” votes as of press time. By reverting to the Honzon protocol, we aim to “effectively burn” the errant aUSD.
The proposal contains the code needed to move the funds to a pseudo-burning address, listing all addresses present in Acala’s findings.