Polkadot ecosystem Acala hacked: aUSD unpegged but stabilized again, some stolen funds already cross-chain, difficult to execute rollback
Polkadot's parallel chain, the aUSD ecosystem protocol Acala Network, recently acknowledged that due to a reward allocation error in the newly deployed liquidity pool iBTC/aUSD, a large amount of aUSD was minted, causing its value to temporarily drop below 0.1 USD. Although the attacker's funds are currently locked, executing transaction rollbacks poses challenges.
Table of Contents
Attacker Holds 1.2 Billion aUSD
Polkadot parallel chain Interlay announced on 8/10 the launch of minting Bitcoin-backed asset iBTC, supported by Moonbeam and Acala Network, and introduced iBTC/aUSD, iBTC/GLMR liquidity pools.
Polkadot ecosystem security expert 0xTaysama first discovered signs of an attack on 8/14 and reported it to security firm PeckShield, pointing out that the attacker's wallet holds over 1.2 billion aUSD.
Note: aUSD is a multi-collateral stablecoin backed by cross-chain and native parallel chain assets, including DOT, KSM, ACA, KAR, BTC, and ETH.
Team Confirms Pool Misconfiguration
The Acala team stated on the evening of 8/14 that they have confirmed that a misconfiguration of the iBTC/aUSD liquidity pool led to a significant minting of aUSD, the vulnerability has been fixed, and related aUSD addresses have been tracked.
Currently, over 99% of the erroneously minted aUSD still exists on the Acala parallel chain, with some being exchanged for ACA and other tokens. The team has also used emergency governance to temporarily halt Swap, Oracle, and other functions, reassuring users not to worry about liquidation.
Some Assets Already Cross-Chain
Crypto community Alice und Bob provided a more detailed analysis than the official one, pointing out that while attention is focused on the attacker holding 1.2 billion aUSD, a total of over 1.3 billion aUSD was erroneously minted.
What actually caused the damage is that some users have already exchanged the falsely minted aUSD for DOT and iBTC via Moonbeam, with a total of 6.2 million assets already leaving the parallel chain.
Alice und Bob believes that as long as the stolen DOT and iBTC are not returned to the chain, it is unlikely that transaction rollbacks will be executed.
iBTC issuance protocol Interlay also concurred with this view in its event analysis:
Attackers may cash out by exchanging iBTC, making it difficult for Acala to execute rollbacks, and so far, we cannot confirm if any attempts to redeem iBTC are related to the attackers.
Alice und Bob also noted that aUSD experienced a significant price rebound after detaching, falling to $0.05 on KuCoin and now back to $0.8, attributing it to factors such as investor trust in the team and speculation.
Related
- Dark web hackers selling 10 million pieces of Binance user data, Binance refutes: Completely false
- Kraken hit by white hat ransomware attack, loses 3 million euros, Certik: Threatened by Kraken
- OKEx users fall into panic! Unusual aggregation of 5.3 BTC, consecutive theft of user assets, OKEx official: Investigating the truth, don't panic