Hack Summer Continues with Acala Becoming the 4th Victim in August, ‘We’ll see More Attacks’
A scorching hot decentralized finance (DeFi) hack summer continues, with the latest in a string of at least eight protocols to fall victim to an exploit since early June being Acala Network — and it is at least the fourth one in August alone.
The incident saw the network’s Polkadot (DOT)-based stablecoin Acala Dollar aUSD lose its dollar peg and plunge by more than 99%. On Monday morning at 7:20 UTC, aUSD is trading at USD 0.00898, down by 9% over the past 24 hours and 99.1% in a week, according to CoinGecko.
Meanwhile, Acala (ACA) token is down 7.5% in a day and 18% in a week, trading at USD 0.267.
Acala Dollar (AUSD) 7-day price chart:
Source: Coingecko.com
What led to this is that over the weekend, bad actors had managed to exploit a vulnerability in the Acala network’s newly-deployed iBTC-aUSD liquidity pool to issue more than a billion aUSD tokens, Acala’s native stablecoin.
At the time of writing, the wallet believed to belong to the attacker contains aUSD 1.267bn.
Acala’s official Twitter account confirmed the hack. «We have identified the issue as a misconfiguration of the iBTC/aUSD liquidity pool (which went live earlier today) that resulted in error mints of a significant amount of aUSD.»
The misconfiguration has since been rectified and wallet addresses that received the errorneously minted aUSD have been identified, with on-chain activity tracing in respect of these addresses underway
2/— Acala (@AcalaNetwork) August 14, 2022
In a follow-up tweet, the team claimed that they have «rectified» the issue and also identified the wallet addresses that «that received the erroneously minted aUSD,» saying that they will be tracing their on-chain activity.
«Based on preliminary on-chain tracing, 99%+ of the erroneously minted aUSD remain on Acala parachain with a small proportion of erroneously minted aUSD being swapped for ACA and other tokens on Acala parachain,» the team added.
Meanwhile, Victor Young, founder and chief architect at Analog, a layer-0, proof-of-time (PoT)-enabled network, said in a comment to Cryptonews.com that Polkadot’s infrastructure is secure, but the «same cannot be said» about Acala and other protocols built on the platform.
«While the exact cause of the attack is yet to be determined, early investigations point to a flaw in a smart contract managing the iBTC/aUSD liquidity pool that hackers compromised to overzealously mint aUSD tokens,» Young added.
The Acala hack is the latest in a string of hacks and exploitations that have burdened the DeFi industry since the start of this summer. Here is a list of just some of the hacks since the start of June:
- Popular non-fungible token (NFT) collection Bored Ape Yacht Club (BAYC) lost ETH 200 worth of digital assets in an exploit.
- Osmosis DEX was exploited to the tune of some USD 5m.
- Harmony Bridge lost almost USD 100m in crypto in a theft.
- XCarnival lost USD 3.65m worth of ETH in a hack.
- Crema Finance lost over USD 8.7m worth of crypto assets in a flash loan attack.
- NFT influencer Zeneca and NFT registration platform PREMINT fell victim to hacks.
- Decentralized music platform Audius lost USD 6m in a hack.
- Nomad DeFi bridge was drained of USD 190m following a security breach.
- A breach of data by Slope Wallet led to thousands of Solana (SOL) users losing their funds.
- Curve Finance (CRV) saw some USD 570,000 stolen.
This Acala hack is the third one in just the first two weeks of August (among the ones that Cryptonews.com reported on, and they are likely to be more).
«In my view, we’ll continue to see more of these attacks because many dApp developers don’t put in the legwork when defining their code’s security properties,» Young said. «Even if the smart contract is audited, the code may not be foolproof. In this regard, developers and QA experts need to continuously evaluate to ensure the code achieves its objectives.”
As reported, hackers and fraudsters stole over USD 670m from crypto protocols during the second quarter of the year, according to Immunefi, a major bug bounty and security services platform. This figure is up by almost 50% compared to Q2 2021 when hackers and fraudsters stole USD 440,021,559.
In a report earlier this month, blockchain auditing firm Chainalysis revealed that attacks on bridges account for 69% of total funds stolen so far this year. «As more value flows through cross-chain bridges, they become more attractive victims for hackers,» the report said.
Chainalysis suggested all DeFi protocols, especially bridges, go for «extremely rigorous code audits to become the gold standard of DeFi.» The company also said crypto projects need to «invest in security measures and training.»
____