Acala Network aUSD Infinite Mint Depegging

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Acala Network Homepage/Logo

Acala positioned itself as the liquidity layer of Web3 finance, offers backend infrastructure trusted by industry giants like Coinbase and Figment and application-specific blockchain boasting tools like the Universal Asset Hub and Acala USD stablecoin protocol. A breach led to the depegging of the Acala Dollar, with over 3 billion aUSD mistakenly minted, causing significant imbalance and losses. Despite community efforts to rectify the situation through governance referendums, questions linger about security and stability, and the protocol appears to ultimately have been discontinued.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23]

About Acala Network

"Acala is building the liquidity layer of Web3 finance"

"Acala provides backend infrastructure for traditional finance that is trusted by institutions like Coinbase, Figment, and Current.com."

"Acala’s application-specific blockchain (appchain) has built-in tools like Universal Asset Hub that hosts DOT liquid staking token (LST) protocols, a DEX, DOT liquid staking, and multichain asset router bridge. Leverage these tools and native liquidity as a developer."

"The Acala USD (aUSD) stablecoin protocol enables a decentralized, cross-chain stable currency that serves as the native stablecoin of the Polkadot and Kusama ecosystem"

"Acala USD is a decentralized cross-chain stablecoin protocol pegged to the US Dollar and backed by a surplus value of reserve assets. The protocol is deployed on the Acala and Karura networks and as such can be integrated with any blockchain connected to the Polkadot or Kusama ecosystems. As the native stablecoin of the Polkadot and Kusama ecosystems, aUSD is used to pay for network transaction fees, access services and hedge against price volatility."

"Stablecoin Acala Dollar (aUSD) lost its parity with the U.S. dollar following a breach over the weekend, but its price has since begun to bounce back."

"Cryptocurrency analyst @Alice und Bob tweeted that the depeg was caused by US$1.2 billion of aUSD mistakenly minted in its iBTC/aUSD liquidity pool and caused a serious imbalance in the fund pool. Also, the analyst said some of the wrongly minted stablecoins have been moved out of the Acala’s chain and caused an estimated loss of US$1.6 million."

"The Acala Network, which supports blockchains of Polkadot and Kusama, said the error has been corrected and now it is tracking the wallets that received wrongly minted aUSD, according to a Twitter thread by its verified official account."

"The price of aUSD bounced back and traded at US$0.90 as of 12 p.m. Hong Kong time, after it slumped to US$0.57 on Sunday, according to CoinMarketCap."

"The Acala USD (aUSD) token, which acts as a native stablecoin for the Polkadot and Kusama blockchains, saw its value plummet 99% after a misconfiguration of the iBTC/aUSD liquidity pool was exploited after its launch on Sunday. Initial estimates from Acala noted that 1.2 billion aUSD was minted without the necessary collateral, seeing the token’s value depeg from its 1:1 peg with the U.S. dollar to a bottom of $0.01."

"Acala’s stablecoin protocol uses a multi-collateral backing mechanism to create a stablecoin soft-pegged to the US Dollar. The Acala stablecoin protocol mints a stable currency from a basket of reserve assets. This enables people to transact, trade, and facilitate services using aUSD without price volatility and, if desired, while retaining ownership of their reserve assets like ACA, DOT, DOT derivatives, parachain assets, and assets bridged from other consensus networks like BTC, or ETH."

"aUSD is minted using a system called Collateralized Debt Positions (CDPs). Together with a set of incentives, supply and demand balancing, and risk management mechanisms within the aUSD stablecoin protocol on Acala, the value of an aUSD token is pegged to the value of a US Dollar. aUSD also offers an on-chain liquidator, removing third party centralized risk, and oracle quality of service, guaranteeing oracle price feeds make it into every block. This allows the aUSD protocol to manage risk in a more autonomous and efficient manner.

Every CDP holds the collateral assets deposited by the user who opened the CDP that created the aUSD tokens, together with its associated aUSD debt position. The deposited collateral assets inside the CDP are locked and cannot be withdrawn by the user until the associated aUSD debt is paid back. Active CDPs are always over-collateralized with the collateral value exceeding the value of the debt. Opening a CDP also involves a Stability Fee, or interest, that goes to the protocol as well as liquidity providers (LPs) of aUSD stablecoin pairs in Acala Swap."

"Acala put its network in maintenance mode to freeze funds and eventually managed to recoup a significant portion of the uncollateralized tokens. The Acala community proposed and voted on a referendum to identify and destroy the erroneously minted tokens to return its dollar peg to parity at $1."

"A few months ago I was super excited for Fantom and ita Solidly with Andre Cronje as a main developer. Super good tech, really bullish… boom main dev left, dust remains.

Next one JUNO. Awesome usecase, crazy fast, top tier Cosmos coin…boom down like a stone after whale fiasco.

LUNA came swiftly as a lightning and burned most of my saving in crypto over night.

Now ..Acala. Depeg after a hack due to the poor security in one of the pools.

Im starting to wonder why even continue at this point. I already lost 90% of my savings and I wasnt even dabbling with shitcoins or anything like that. People are saying they quadrupled their money since last bear..but here I am, only losing, never winning. Should I even continue?"

"Interlay, a service that allows users to wrap Bitcoin to iBTC and then use it across decentralized finance platforms, was drawn into the situation, as the iBTC/aUSD pool was chiefly affected by the exploit. Cointelegraph reached out to Interlay to ascertain the details of the incident and lessons to be taken forward. Acala, on the other hand, refused to comment."

"While investigations are still ongoing, the theory is that the misconfiguration in the iBTC/aUSD pool allowed an attacker to mint an erroneous amount of aUSD. This then led to fears that the attacker would buy iBTC with the illicit aUSD tokens and convert that to BTC — which would have nullified Acala’s ability to recoup the tokens and restore its peg."

"A community governance referendum has been proposed and passed. At block 1652829 in approx. 35 minutes, 1,292,860,248 total erroneously minted aUSD will be returned to the honzon protocol and will be burned."

"1,288,561,129 aUSD minted on 16 different accounts was returned to the network’s Honzon protocol to be burned. Another 4,299,119 erroneously minted aUSD remaining in the iBTC/aUSD reward pool was also destroyed."

"Acala has yet to confirm the exact amount that was permanently stolen, as even with the disabled transfers, some funds still slipped through the net."

"In total, $1.6M in “good value” was transferred off-chain, and $4.6M of “bad debt” in the form of wrongly minted $aUSD also left the chain."

"I checked the acala website today. They have a new website and the AUSD stuff is completely scrubbed from the website. Their web apps is still showing the mint aUSD section. My guess is they are in the process of getting rid of it as well. Last i heard they are working on apps 2.0"

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Acala Network aUSD Infinite Mint Depegging
Date Event Description
February 9th, 2022 6:01:02 PM MST aUSD Launch Announcement A Medium article reports on the launch of the aUSD protocol, which is announced as "the core of Acala’s DeFi ecosystem, and will serve as the stablecoin powering the Polkadot and Kusama ecosystem."
August 13th, 2022 4:41:00 PM MDT Misconfiguration iBTC/aUSD pool was enacted with misconfiguration and erroneous mint started.
August 13th, 2022 7:17:00 PM MDT Partial Pause Enacted Acala parachain is equipped with a functionality to partially pause certain transactions via governance (without halting the chain) as a defense mechanism to combat incidents like this. An urgent governance vote was passed to pause Acalaswap in order to identify the root cause.
August 13th, 2022 7:39:00 PM MDT Issue Identified The issue of the misconfiguration was identified, an urgent governance vote was raised and passed to rectify the configuration. Erroneous minting of aUSD has since stopped.
August 13th, 2022 7:47:00 PM MDT Containment Votes In the hours following, to contain the erroneously minted aUSD, urgent governance votes were passed to pause honzon protocol, xtoken (xcm transfer out), EVM, non-ACA token transfer, oracle pallet, and LDOT instant redeem.
August 13th, 2022 8:44:03 PM MDT Reddit Discussion Discussions on Reddit about the exploit start.
August 14th, 2022 1:32:00 AM MDT Jaumeelgran Tweet Twitter user Jaumeelgran, one of the larger exploiters of the bug, reaches out to the team. He has "been an Acala holder since the 1st day" and wasn't intending to profit from the exploit.
August 14th, 2022 1:39:00 AM MDT Interlay Tweet Interlay, which runs a liquidity pool service between the iBTC and aUSD assets, reports that they are aware of the pricing discrepancy.
August 14th, 2022 7:14:49 AM MDT Reddit Post A Reddit post is made by a frantic user who lost funds in Terra and now fears they lost funds in Acala Networks.
August 14th, 2022 11:11:09 PM MDT Forkast News Article Forkast news reports on the Acala Dollar depegging.
August 15th, 2022 7:12:00 PM MDT Burn Proposal Tweet A tweet by the Acala Network reports that $1.3b worth of erroneously minted aUSD will be returned to the honzon protocol and burned. It also details that they are working to trace any funds that may have been profited through swapping the extra aUSD.
August 17th, 2022 12:58:00 AM MDT Total Mint Increased In this tweet, it's revealed that the actual amount of aUSD obtained was slightly above $3b. Tracing is underway to reclaim the rest of the funds.
August 17th, 2022 2:04:54 AM MDT CoinTelegraph Article CoinTelegraph reports on the incident.
April 1st, 2023 7:59:52 PM MDT Acala Network Concerns There are concerns raised on Reddit that the aUSD project has been scrubbed entirely from the Acala Network website.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

"In total, $1.6M in “good value” was transferred off-chain, and $4.6M of “bad debt” in the form of wrongly minted $aUSD also left the chain."

The total amount lost has been estimated at $6,200,000 USD.

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

The total amount recovered is unknown.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Stankoman comments on I feel like I should just give up…why even bother investing anymore (Mar 16, 2023)
  2. I feel like I should just give up…why even bother investing anymore : CryptoCurrency (Feb 14, 2024)
  3. I feel like I should just give up…why even bother investing anymore : CryptoCurrency (Feb 14, 2024)
  4. Polkadot-based stablecoin Acala Dollar depegs after a breach (Feb 14, 2024)
  5. https://cointelegraph.com/news/another-depeg-acala-trace-report-reveals-3b-ausd-erroneously-minted (Feb 14, 2024)
  6. @AcalaNetwork Twitter (Feb 14, 2024)
  7. 08-14-2022-Incident On-chain Trace Results - Acala - Acala & Karura Community Forum (Feb 14, 2024)
  8. Proposal for Trace Result #1: 08-15-2022 - Proposals - Acala & Karura Community Forum (Feb 14, 2024)
  9. @InterlayHQ Twitter (Feb 14, 2024)
  10. @AcalaNetwork Twitter (Feb 14, 2024)
  11. https://www.reddit.com/r/CryptoCurrency/comments/wnv8eq/acala_usd_ausd_major_depeg/ (Feb 14, 2024)
  12. Acala Stablecoin Edges Back to Dollar Peg After Burning 1.29B aUSD - Decrypt (Feb 14, 2024)
  13. Acala To Burn $1.2B aUSD After Minting Bug - The Defiant (Feb 14, 2024)
  14. Acala - The DeFi & Liquidity Hub of Polkadot (Feb 14, 2024)
  15. https://coinmarketcap.com/currencies/acala-dollar/ (Feb 14, 2024)
  16. https://www.kraken.com/prices/acala-dollar (Feb 14, 2024)
  17. https://defillama.com/protocol/acala-dollar (Feb 14, 2024)
  18. AUSD officially dead? : AcalaNetwork (Feb 14, 2024)
  19. Acala Launches Polkadots Native Stablecoin Ausd A Decentralized Multi Collateral Stable (Feb 14, 2024)
  20. Why has aUSD massively depegged from the dollar? : AcalaNetwork (Feb 14, 2024)
  21. Subscan | Aggregate Substrate ecological network high-precision Web3 explorer (Feb 14, 2024)
  22. @Jaumeelgran Twitter (Feb 14, 2024)
  23. Rekt - Acala Network - REKT (Feb 14, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Acala_Network_aUSD_Infinite_Mint_Depegging&oldid=5468"