Network and token freeze after Acala exploit raises questions
The Acala Community’s aUSD stablecoin depegged by over 99% over the weekend and compelled the Acala staff to pause a hacker’s pockets, elevating issues about its declare of being decentralized.
On Aug. 14, a hacker took advantage of a bug on the iBTC/aUSD liquidity pool which resulted in 1.2 billion aUSD being minted with out collateral. This occasion crashed the USD-pegged stablecoin to a cent, and in response, the Acala staff froze the erroneously minted tokens by inserting the community in upkeep mode.
The transfer additionally halted different options reminiscent of swaps, xcm (cross-chain communications on Polkadot), and the oracle pallet value feeds till “additional discover”
Now we have recognized the problem as a misconfiguration of the iBTC/aUSD liquidity pool (which went stay earlier in the present day) that resulted in error mints of a big quantity of aUSD
1/— Acala (@AcalaNetwork) August 14, 2022
Whereas the transfer to place the community in upkeep mode and freeze funds within the hacker’s pockets might have been meant to guard customers and the community from any additional hurt, proponents of decentralization have cried foul.
Acala is a cross-chain decentralized finance (DeFi) hub that points the aUSD stablecoin primarily based on the Polkadot (DOT) blockchain. aUSD is a crypto-backed stablecoin which Acala claims is censorship-resistant. iBTC is a type of wrapped Bitcoin (BTC) which can be utilized in DeFi protocols.
Neighborhood members have famous the irony of Acala’s claims about aUSD’s censorship-resistance because the protocol froze funds so swiftly. Twitter consumer Gr33nHatt3R.dot identified on Aug. 14 that decisions “must go to governance to be ‘decentralized’ finance.”
“If Acala centrally controls that call is that this actually DeFi?”
A member of the mission’s Discord channel usafmike proposed rolling again the chain to reverse the token mints altogether, however was challenged by skylordafk.dot, one other member who mentioned such an motion would “set a dangerous precedent.”
As of the time of writing, the community was nonetheless in upkeep mode to dam all token transfers, however the staff confirmed that the bug had been fastened. The wallets that acquired erroneously minted aUSD have been recognized, and 99% of them had been nonetheless on Acala which leaves the chance that they could be retrieved by the neighborhood if it votes to take action.
Associated: Binance recovers the vast majority of funds stolen from Curve Finance
The Acala exploit is the second main one in per week as Curve Finance (CRV) skilled an assault on its entrance finish on Aug. 9 which directed customers to approve a malicious contract. Acala’s drawback differs from Curve’s because the latter’s swimming pools weren’t compromised as customers who immediately interacted with its sensible contracts skilled no points.
aUSD is the newest stablecoin to lose its peg previously few months, beginning notoriously with Terra USD (UST) in Could, which has since been renamed to Terra Basic USD (USTC). Different notable depegs embody Tether (USDT) and Dei (DEI).
