A bug in the protocol’s newly-deployed iBTC-aUSD liquidity pool left the door wide open for hackers to exploit.
Decentralized finance (DeFi) platform Acala’s native stablecoin, aUSD, depegged on Sunday, plummeting 99% after hackers exploited a bug in a newly-deployed liquidity pool to mint 1.28 billion tokens.
After noticing the exploit, the Acala team disabled the transfer functionality of the “erroneously minted aUSD” remaining on the Acala parachain.
A wallet believed to belong to the attacker still contains approximately 1.27 billion aUSD.
On-chain sleuths have pointed out that the attacker who minted 1.28 billion aUSD was not the only person to take advantage of the bug – several other users allegedly stole thousands of dollars worth of DOT from the liquidity pool.
Launched earlier this year, aUSD successfully held its soft peg to the U.S. dollar until the hack. After the attack, the price of aUSD plunged from roughly $1.03 per token to $0.009.
It remains unclear how Acala will deal with the error mint or whether the aUSD peg can be restored.