• An attacker minted 1.2 billion aUSD stablecoins on Acala
  • The funds are still on the Acala parachain
  • All swaps and transfers have been paused and aUSD peg has almost been restored

Polkadot's decentralized finance (DeFi) hub Acala was compromised over the weekend and almost $1.2 billion in aUSD have been lost due to "a misconfiguration of the iBTC/aUSD liquidity pool."

The iBTC/aUSD liquidity pool went live Sunday and the attacker noticed the misconfiguration, which they later took advantage of by minting a significant amount of aUSD, a stablecoin associated with the network.

The misconfiguration related to the Polkadot-based DeFi platform was rectified on the same day, as confirmed in a series of tweets.

"The misconfiguration has since been rectified and wallet addresses that received the errorneously minted aUSD have been identified, with on-chain activity tracing in respect of these addresses underway," Acala revealed.

The attacker's wallet has over 1.267 billion aUSD tokens followed by 785.9 ACA, among other cryptocurrencies.

The DeFi platform noted that "99%+ of the errorneously minted aUSD remain on Acala parachain with a small proportion of errorneously minted aUSD being swapped for ACA and other tokens on Acala parachain."

As these tokens are still on the Acala parachain, the team has decided to disable the transfers related to that address. Moreover, functions including swaps on Acala have been suspended via urgent governance votes indefinitely.

"Next up, we will continue on-chain activity trace, and share the results with the community to facilitate formulation of community proposal & decision making to resolve the error mint of aUSD & restore aUSD peg," the developers added.

Acala has been deemed one of the most promising projects in the world of DeFi. Looking at the current picture, it seems the issue will likely be resolved.

The aUSD stablecoin lost its peg but rose by over 65.74% in the last 24 hours and is priced at $0.9917 as of 10:44 p.m. ET Sunday, almost reclaiming its peg, as per CoinMarketCap.

"They've contained the exploit (prevented them from transferring these assets out) and will probably revert state like they did with Karura last year," a Twitter user who goes by the handle @0xTaylor noted.

A view of a representation of cryptocurrency Bitcoin plunging into water in this illustration taken, May 23, 2022.
A view of a representation of cryptocurrency Bitcoin plunging into water in this illustration taken, May 23, 2022. Reuters / DADO RUVIC