Polkadot’s DeFi protocol Acala suffered a major exploit on August 14, with hackers minting 1.2 billion aUSD stablecoin without collateral. This attack resulted in the aUSD, the project’s stablecoin, to be depegged by over 99%.
The Acala team tweeted that the exploit happened due to ‘a misconfiguration of the iBTC/aUSD liquidity pool.’ According to the team, the misconfiguration has been rectified.
Most of the minted stablecoins are still in the Acala account, according to on-chain data. Only a tiny fraction of the stablecoin was swapped for Acala’s native token ACA and four other tokens by the attacker.
A wallet believed to belong to the attacker holds approximately 1.27 billion aUSD.
The team asked the hacker to return the erroneously minted aUSD, ASA or swapped token from these aUSD to certain addresses. They even asked recipients of ACA holders who obtained them from the erroneously minted aUSD to return them.
The Acala team also tweeted that it has disabled the transfer functionality of the “erroneously minted aUSD” remaining on the Acala parachain.
On-chain activities such as swaps and cross-chain messaging as well as protocol’s oracle pellet have been halted for other users until further notice to prevent forced liquidations.
Polkadot tweeted that the Acala team will ‘continue tracing on-chain activity, and will facilitate a community proposal to resolve the issue.’ It also clarified that Polkadot’s relay chain and shared security remain unaffected.
