What Really Happened: Acala Stablecoin Parachain Exploit

Updated: Nov 11

Acala Stablecoin (aUSD) de-pegged and fell from $1.03 per token to $0.009, representing a 99% drop in the token price.

 

Key Takeaway

  • Acala USD (aUSD) is a decentralized, multi-collateral stablecoin and the core of Acala's DeFi ecosystem. It also serves as the default stablecoin for the Polkadot and Kusama ecosystem.

  • aUSD enables users to transact, trade, and facilitate services using aUSD while retaining ownership of their reserve assets.

  • The misconfiguration in the iBTC/aUSD pool allowed the bad actors to mint 3.02 billion aUSD tokens without the appropriate collateral.

  • 1.3 billion uncollateralized aUSD from 16 accounts were sent to burn.

  • Roughly 1.7 billion aUSD tokens are still in the perpetrators' wallet addresses.

Introduction

On 14 August 2022, the Acala Stablecoin (aUSD) de-pegged and fell from $1.03 per token to $0.009, representing a 99% drop in the token price. The de-peg occurred due to hackers exploiting a bug in the newly launched iBTC/aUSD liquidity pool.


To counteract the effects of Sunday's exploit, the community voted to burn 1.2B aUSD minted by exploiters the next day, and the price of aUSD is clawing back range. The price of aUSD is currently at $0.75.

What Really Happened: Acala Stablecoin Parachain Exploit

What is Acala Stablecoin (aUSD)

The aUSD is a decentralized, multi-collateral stablecoin and the core of Acala's DeFi ecosystem. It also serves as the default stablecoin for the Polkadot and Kusama ecosystem.


aUSD is minted using a system called Collateralized Debt Positions (CDPs). CDPs are always over-collateralized, with a collateral value exceeding debt value.


Users must first deposit collateral assets before receiving aUSD tokens. The user's deposited collateral assets will be locked in the CDP until the associated aUSD debt is repaid. This system enables users to transact, trade, and facilitate services using aUSD while retaining ownership of their reserve assets.


What Happened to aUSD

aUSD problems began when the token fell to $0.58 before quickly recovering to a range between $0.86 and $0.95. It stayed in that range before collapsing to $0.009.


The Acala team quickly identified the cause and shared it with the community on Twitter.


aUSD can be minted with various collateral, with the collateral ratio varying between tokens. For example, KSM, the native token of the Kusama ecosystem, requires a 400% collateral ratio and a 200% liquidation ratio. This means if a user wants to mint 500 aUSD tokens, they have to provide $2,000 worth of KSM, and if the value of KSM gets cut in half by the market, the user is at risk of triggering liquidation.


The misconfiguration in the iBTC/aUSD pool allowed the bad actors to mint 3.02 billion aUSD tokens without the appropriate collateral.


Acala's Community Swift Reaction

The Acala community reacted quickly. The following day, a proposal was made to burn 1.3 billion erroneously minted aUSD tokens, and the result was overwhelmingly in favor. Since the proposal, the peg is seen to be recovering to the range before the collapse.


Acala had to put its network into maintenance mode to freeze most of the uncollateralized funds, with 1.3 billion aUSD from 16 accounts being sent to burn. Since then, however, a new report has surfaced detailing how 17 flagged liquidity providers' addresses claimed 3.022 billion minted aUSD tokens.

Chart from CoinMarketCap Acala USD (aUSD)

Source: CoinMarketCap


This still leaves roughly 1.7 billion aUSD tokens that shouldn't exist and are still in the perpetrators' wallet addresses. With the price of aUSD currently sitting at $0.75, it is uncertain if aUSD will re-peg in the future.


Possible Crypto Contagion Risk

The impact on Polkadot's token is likely minimal, given that just over 1,000 DOT tokens ended up in bad actor wallets. This is essentially a rounding error for a token with a circulating supply of 1.1 billion. Unlike Terra, an algorithmic stablecoin that collapsed — wiping billions of dollars and drawing regulatory attention from around the world — Acala doesn't have a significant presence in the broad crypto ecosystem to create a contagion risk yet.