Acala governance proposal submitted to burn $1.28B aUSD following investigation of exploit Acala governance proposal submitted to burn $1.28B aUSD following investigation of exploit

Acala governance proposal submitted to burn $1.28B aUSD following investigation of exploit

Acala issues governance proposal including details of the weekend exploit which led to $1.2B aUSD being "erroneously minted" by a malicious actor.

Acala governance proposal submitted to burn $1.28B aUSD following investigation of exploit

Cover art/illustration via CryptoSlate. Image includes combined content which may include AI-generated content.

UPDATE: This proposal has now passed

Polkadot ecosystem’s stablecoin Acala ($aUSD) suffered an exploit over the weekend that led to a malicious actor minting $1.2 billion out of thin air. The Acala team “paused” operations via an emergency governance proposal to investigate the issue.

On August 15, a governance proposal was submitted to “effectively burn” $1.288 billion aUSD following the release of an on-chain report from the Acala Council.

Acala initially notified users of the issue around 3 AM BST on August 14, stating that  they were working to “mitigate the issue.” The source of the exploit was publicly reported by 1 PM BST on August 14, just 10 hours later. The announcement confirmed that over 99% of the “erroneously minted aUSD [remained] on Acala parachain.”

Within the Twitter thread that identified the exploit’s cause, Acala stated that it had identified the “wallet addresses that received the erroneously minted aUSD… with on-chain activity tracing” in progress.

Regarding the potential impact on the broader Polkadot ecosystem, Victor Young, the Founder and Chief Architect at Analog, commented that

“I still believe that Polkadot’s infrastructure is secure by design… the same cannot be said about Acala Network, an application-specific chain customized to power liquidity, economic activity, and stable coin utility on the platform.

In my view, we’ll continue to see more of these attacks because many dApp developers don’t put in the legwork when defining their code’s security properties. Even if the smart contract is audited, the code may not be foolproof.”

Governance framework and leadership

The Acala Network is committing to a community governance proposal to decide the resolution to the incident. Currently, Acala has a Governance Council containing five addresses.

According to the Notion roadmap for Acala, “full democracy” is still in the “planning” phase. The Phase 3 roadmap, which is almost complete, states:

“Decisions of the Acala Foundation regarding the network (runtime upgrade, improvements etc) are made transparent on-chain via voting by an appointed Acala General Council.”

Acala has also enabled an element of democracy “so that anyone can propose a referendum by depositing the minimum amount of tokens for a certain period.” However, “full democracy” is scheduled for Phase 4, which will not be implemented until the below checkpoints have been met.

– All DeFi protocols are bootstrapped, running with high stability and security for a reasonable period of time (to ensure protocols are sound during extremely market volatility.)

– The network has a sufficient amount of liquidity to power the protocols, and the liquidity is sustainable.

– Sound and transparent processes have been set up for each DeFi protocol for continuous Business-as-Usual (BAU) improvements, e.g. adding new trading pairs or new collaterals.

– Expert councilors have been identified such as Risk Assessor, Technical Assessor etc. to continue ensure the security and safety of the network and protocols.

– Acala EVM is sufficiently developed with production-grade functionality and security.

Therefore, according to the current governance process, the Acala Council still appears to retain outsized network control. While this may not be great for the level of decentralized nature of the protocol, it may aid Acala in resolution management and “to resolve the error mint of aUSD & restore aUSD peg.”

Resolutions and solutions

To mitigate further risk, Acala stated that “parachain native tokens have been transfer disabled,” so stop erroneous aUSD from leaving its native parachain and spreading contagion into the broader Polkadot ecosystem.

At the time of writing, aUSD is valued at $0.88 per token after it dropped to a low of $0.09. The peg appears to be between $0.90 and $0.80, still some 10% – 20% below its desired peg.

Source: TradingView

Acala posted an update to the situation on Monday morning, confirming the value of minted aUSD as $1.288 billion. The tweet included a forum post detailing the “trace results.”

The Acala team confirmed that the information can now be used to “verify on-chain data, & formulate proposals to resolve the error mint of aUSD.”

The specific cause of the incident is timestamped in the forum post.

“2022-08-13 22:41 UTC – iBTC/aUSD pool was enacted with misconfiguration and erroneous mint started.”

The “misconfiguration” led to the aUST being erroneously minted, and the funds were sent to several LP providers for the pool. These funds have been effectively frozen at present, as Acala confirmed:

“The swapped digital assets that remain on the Acala parachain, has since been transfer disabled pending the Acala community’s collective governance decision on resolution of the error minting.”

Since the update was released, a “Referenda” proposal has been submitted. The proposal has no “nay” votes as of press time — aiming to “effectively burn” the erroneous aUSD by returning it to the Honzon protocol.

The proposal includes the code required to move the funds to a pseudo-burn address and lists all the addresses present in Acala’s findings.

Disclaimer: CryptoSlate has received a grant from the Polkadot Foundation to produce content about the Polkadot ecosystem. While the Foundation supports our coverage, we maintain full editorial independence and control over the content we publish.