After the mining failure involving its stablecoin aUSD, the Acala Network announced on Monday that it had resumed its operations following a referendum allowing LPs to withdraw liquidity from pools or unstake LP tokens.
The community referendum for Stage 1 of resuming Acala operations has passed and been executed.
LPs who choose to unstake LP tokens or withdraw liquidity on Acala now have the option to do so. https://t.co/yzvOz7zwxT
— Acala (@AcalaNetwork) September 26, 2022
In August, a misconfiguration of the iBTC/aUSD liquidity pool led to a 3.022 billion aUSD to be erroneously minted, taking its price to less than $0.01 from its dollar peg. Acala is a decentralized finance platform built on the Polkadot (DOT) ecosystem.
The wallet addresses that had received the minted aUSD have been identified via on-chain tracing, allowing the recovery of 2.97 billion aUSD mistake mints from 16 addresses. Other thirty-five accounts were identified as having acquired 12.38 million erroneously minted aUSD.
According to the incident report, 16 iBTC/aUSD LP contributors received the error mints, and some of them repeatedly added more liquidity to the pool, claiming more aUSD error mints and resulting in more aUSD being erroneously minted. It noted:
“Some of these users repeatedly swapped more aUSD error mints as the imbalance of pools grew. They then transferred a significant amount of aUSD error mints to other XCM-connected chains and CEXs.”
The cause of the incident “was a vulnerability in the DEX saving code that is part of the incentives pallet”, said the company, which also announced a security roadmap to strengthen the security of the Acala network.
The report revealed the full extent of the event. Reportedly a total of 3.022B aUSD error were minted, 2.97 billion aUSD were found in the addresses of the 16 identified LP contributors, and 12.38M aUSD error mints were found on the top 35 accounts that acquired a significant amount of aUSD error mints or were linked to the accounts that acquired it. A remaining 52.068M aUSD error mints, error mint-swapped tokens and address involved in the incident were identified.