Details Of $3 Billion DeFi Exploit Of Acala Come To Light

On Saturday, when the decentralized finance (DeFi) platform Acala was exploited, which allowed the perpetrators to walk away with $3 billion in aUSD stablecoins, people asked an important question.

Didn’t the Polkadot-based decentralized finance (DeFi) protocol audit its code, given that these exploits have become widespread?

The mistake

Yes, it had certainly done so, but the attack hard targeted a misconfiguration in one of the liquidity pools of the Acala platform, which are considered the key element of decentralized exchanges (DEXes).

This is where a math equation is used to swap cryptocurrencies, rather than a conventional order book. This comes from an entirely different project known as the Honzon protocol.

It is how the attackers were able to create 3.02 billion new stablecoins and had driven down the price of aUSD dramatically from its $1 peg.

Nick Selby, the VP of software assurance practice at Trail of Bits, said that they had not reviewed the Honzon protocol in detail and had said that additional reviews were needed.

It is one of the few companies that had audited the smart contracts of the Acala platform in the previous year.

Audited code

The CTO and co-founder of Acala, Bryan Chen said that a number of audits had been conducted by some leading audit firms, including Trail of Bits.

One of these companies included Security Research Labs (SRLabs), which is a research and cybersecurity consultancy firm.

Chen stated that the code that had been part of the aUSD error mints was all mature code that had undergone audits multiple times and had also been battle tested on Karura.

The chief executive and co-founder of Acala, Bette Chen also provided some clarity about the situation and said that parameter misconfigurations cannot be identified through audits.

He said that this is not part of a change in code. For instance, a new audit is not needed when the liquidation ratio is changed, as parameters can be updated via a government vote.

However, the misconfiguration should have been prevented by the code, which external and internal audits don’t do.

Put simply, the protocol’s code should have identified the error, but it did not.

The exploit

As mentioned earlier, about 3.02 billion worth of aUSD had been erroneously minted, but they managed to recover about 2.97 billion.

An urgent governance vote had been conducted and it was decided to burn around 1.29 billion aUSD. As for the remaining 1.7 million aUSD that had been erroneously minted, their transfer has been halted.

The Acala community has not yet decided what to do about the remaining funds. Since aUSD is a stablecoin, it typically trades at a 1:1 ratio with the US dollar.

However, after the attack occurred on the Acala protocol, the aUSD was depegged, which means that its value had declined from about $1.03 to $0.009.

Bette Chen also said that they were still investigating the full extent of the mints and they would continue working with their contributors and partners.