Polkadot’s (DOT) decentralised finance (DeFi) hub, Acala, suffered a major hack yesterday. The attackers were able to artificially create 1.2 billion aUSD, the project’s stablecoin. We take a look at what happened and the first consequences.
Hack of Acala: what happened
The Acala protocol alerted its users to a “configuration issue” early on Sunday, as several other ecosystem players began to warn about the issue. By mid-day, the protocol confirmed that the problem existed on the recently launched iBTC/aUSD liquidity pool, which led to “erroneous mints of a significant amount in aUSD. “
We have identified the issue as a misconfiguration of the iBTC/aUSD liquidity pool (which went live earlier today) that resulted in error mints of a significant amount of aUSD
1/– Acala (@AcalaNetwork) August 14, 2022
The criminals could have exploited the flaw to artificially create over 1.2 billion aUSD, the protocol’s stablecoin. Contrary to what we have read here and there, this is not a theft, but a creation of tokens. If we take into account this artificially created sum, it is however the biggest hack in the history of the DeFi.
The person allegedly linked an Ethereum account to the Acala protocol, and the address was fed via the Binance exchange platform. Acala has confirmed that the addresses linked to this hack have been frozen. More than 99% of the amount is blocked on Acala’s parachain, and cannot be transferred. At the same time the protocol has been stopped:
Meanwhile functions including swap, xcm, honzon-related etc on Acala have been paused via urgent governance votes until further notice; the oracle pallet has also been paused so that users do not need to concern liquidations in between time.
7/– Acala (@AcalaNetwork) August 14, 2022
According to Acala, the configuration issue that led to the hack has since been resolved. But the damage has already been done, and the consequences for the project have been felt.
AUSD stablecoin stalls after Acala protocol hack
As several commentators have pointed out, while this is not a theft, the amount of money artificially created is colossal, even for the DeFi sector. The most visible consequence was the catastrophic depeg of the aUSD stablecoin, which hit $0.05 yesterday. It has since recovered, but has still not managed to regain parity with the dollar:
As for the ACA, it has also suffered a significant fall, losing 17% in just over a day. We will of course have to wait and see how far this fall will go as more information becomes available
Project governance in question
Beyond these financial considerations, several members of the crypto community have expressed concern about the decentralization of the project, which has gone into maintenance mode in order to stop transfers of the funds created:
I think it would have to go to Governance to be “decentralized” finance (DeFi). If Acala centrally controls that decision is this really DeFi?
– Gr33nHatt3R.dot ⭕ (@Gr33nHatt3R) August 14, 2022
“There would have to be a governance vote for this to be “decentralised” finance (DeFi). If Acala controls this decision centrally, is it really DeFi? “
Acala confirmed that the protocol was waiting for the community’s decision before releasing these funds:
Pending Acala community collective governance decision on resolution of the error minting, these errorneously minted aUSD remaining on Acala parachain along with these swapped Acala parachain native tokens have been transfer disabled.
4/– Acala (@AcalaNetwork) August 14, 2022
“Pending the collective governance decision of the community, […] those aUSDs that have been erroneously mined remaining on Acala’s parachain, as well as the native tokens […] that have been traded are blocked and cannot be transferred. “
An uncertain future for Acala
Meanwhile, the community is debating. On the Acala Discord, some want the changes to be reversed on the parachain. Others feel that this would set a bad precedent for the project. This is a common debate in the crypto community, the most famous example being the hack that led to the creation of Ethereum (ETH).
Whatever the decision of the Acala community, we can already see that trust in the protocol has been damaged since yesterday. This is not the only DeFi-related hack that has taken place in recent times. Less than a week ago, Curve Finance also suffered an attack and saw 570,000 dollars disappear.
Acala was one of Polkadot’s most followed projects: in March 2022, he managed to raise $250 million to promote the adoption of his stablecoin aUSD. It is thus one of the future giants of Polkadot that has just stumbled.