Acala was hacked: on-chain tracking results and latest progress

On August 14th, Beijing time , Acala, the liquidity hub of Polkadot DeFi, was hacked due to a vulnerability in the iBTC/aUSD pool. The attacker held more than 1.2 billion aUSD in the wallet. Acala then tweeted that it noticed a configuration issue with the Honzon protocol affecting aUSD. The team is passing an emergency vote to suspend operations on Acala while the issue is being investigated and resolved.

Currently, Acala publishes and updates the tracking results of the hacking event chain.

Event overview

Misconfiguration of the iBTC/aUSD liquidity pool (“iBTC/aUSD LP”) (launched earlier on August 14, 2022) resulted in the mis-minting of a large amount of aUSD. The iBTC/aUSD LP token staking rewards awarded to iBTC/aUSD LP contributors are INTR and ACA (“iBTC/aUSD LP reward”), as described in a community post announcing the launch of iBTC/aUSD LP.

This misconfiguration resulted in the wrong minting of aUSD, which was transferred to the wallet addresses of many iBTC/aUSD LP contributors when they claimed their iBTC/aUSD LP rewards. The misconfiguration has since been corrected, the wallet addresses that received the erroneously minted aUSD have been identified, and on-chain activity tracking of these addresses is ongoing.

Over 99% of the aUSD that was minted by mistake remained on the Acala parachain, and a small portion was converted into ACA and other tokens and transferred out of the Acala parachain. The ability to transfer the remaining 99%+ of erroneously minted aUSD and exchanged digital assets retained on the Acala parachain has been disabled pending a collective governance decision by the Acala community to resolve erroneous minting.

timeline

2022-08-13 22:41 UTC (8-14 06:41 GMT)  – iBTC/aUSD pool was enacted due to misconfiguration and wrong minting initiation.

2022-08-13 23:00-23:40 UTC (8-13 07:00-07:40 Beijing time)  – Acala network contributors noticed unusual on-chain activity, began investigating and announced the incident.

2022-08-14 01:17 UTC (8-14 09:17 GMT)  – Acala parachains are equipped with the ability to partially suspend certain transactions through governance (without stopping the chain) as a defense mechanism against such events. An emergency governance vote passed to suspend Acalaswap to determine the root cause.

2022-08-14 01:39 UTC (08-14 09:39 GMT): The misconfiguration issue was identified, an emergency governance vote was raised and passed to correct the configuration. Error minting of aUSD has since stopped.

2022-08-14 01:47 UTC (08-14 09:47 Beijing time): In the next few hours, in order to curb the wrongly minted aUSD, emergency governance votes to suspend the honzon protocol, xtoken (xcm transfer out ), EVM, non-ACA token transfers, oracle trays, and LDOT instant exchange.

The team has since started tracking the on-chain activity of erroneously minting aUSD, with multiple contributors helping with peer review and verification. Tracking results based on publicly available information will be continuously released to facilitate the community to formulate community proposals to resolve aUSD’s erroneous minting and restore aUSD pegs, and then safely and gradually resume operations on the Acala network. Below are the first tracking results for August 15, 2022.

Tracking Result #1: August 15, 2022

When these iBTC/aUSD LP contributors claimed their iBTC/aUSD LP rewards through the iBTC/aUSD reward pool, 16 iBTC/aUSD LP contributors’ wallet addresses were identified to transfer their erroneously minted aUSD to them.

More on-chain tracking information for these wallet addresses is as follows:

  • The wrongly minted aUSD was transferred to and left at these wallet addresses: 1,288,561,129 aUSD
  • Further analysis of these accounts is underway and will be published in the following tracking report

Tracking ID

  • Transactions for iBTC/aUSD LP contributors to receive iBTC/aUSD LP rewards
  • Snapshot of account balance before the event

There are still 4,299,119 misminted aUSD in the iBTC/aUSD reward pool that has not yet been claimed.

IEQTYeo6f65iVzriJqcDxzJAmn8yOIt14bUUehHR.png

what’s next

The Acala community can use info & script to verify on-chain data and work together to formulate proposals to resolve aUSD mis-minting.

The team will continue to work with partners and contributors to track and identify misminted aUSD that has been exchanged to other tokens, other related transactions performed by 16 wallet addresses, token outflows to other wallet addresses, parachains and transactions waiting. Results will be published on an ongoing basis in a transparent manner, where the community can collectively formulate recommendations to resolve aUSD mis-minting, and then gradually resume suspended network operations.

In addition, Acala stated on social media that if it is the recipient of aUSD that was minted incorrectly or exchanged these aUSD for other tokens and kept them on another chain, the tokens need to be transferred here:

About Polkadot: 13YMK2eYoAvStnzReuxBjMrAvPXmmdsURwZvc62PrdXimbNy 

On Moonbeam: 0x7369626cd00700000000000000000000000000

If you are an ACA holder obtained by exchanging the wrongly minted aUSD, please go to the following Acala address:

23M5ttkmR6KcoTAAE6gcmibnKFtVaTP5yxnY8HF1BmrJ2A1i

latest progress

At 8-16 08:47 Beijing time , the Acala attacker address aUSD burning proposal passed, a total of 1,292,860,248 wrongly minted aUSD in about 1652829 blocks will be sent to the honzon protocol and burned.

Around 8-16 09:48 Beijing time , the above proposal has been implemented.

8Tmo5Wwi9uW7mCAhzL0IrLO9z1vsz9cFTQvUQyFr.png

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/acala-was-hacked-on-chain-tracking-results-and-latest-progress/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-08-16 10:43
Next 2022-08-16 10:46

Related articles