Acala: Another Smart Contract Tastes Defeat
Another DeFi protocol exploit raises questions about the validity of ‘code is law.’
Raise your hand if you’re a DeFi protocol that’s been exploited this year. More than $1.8Bn has been drained from smart contracts since January, and $190M of that figure was earlier this month in the Nomad bridge heist.
Not two weeks have passed since then and there’s been another multi-million dollar exploit — this time on the Polkadot front.
The story in brief:
- Liquidity pool contributors on Acala were able to mint more than 3.022Bn of uncollateralised aUSD stablecoin due to the implementation of faulty smart contract code, as confirmed by their second batch of trace results.
- This destroyed their stablecoin’s parity with the US dollar (it fell as low as 0.081¢ on KuCoin) and wreaked havoc on the ecosystem, with one liquidity pool being almost almost completely drained.
- There was some contagion of these unbacked assets to other blockchains, and questions are raised about which governance or legal precedents the team has to claim it back by force.
At this time, Acala Network is still mostly offline.
What is Acala?
Acala is the main DeFi hub of Polkadot, functioning as both an automated market maker (AMM) and a decentralised bank. On the frontend, it allows users to engage undertake financial activities (borrowing, lending, etc.) in crypto’s trademark permissionless fashion.
Since projects must obtain a parachain slot prior to integrating, adoption across the Polkadot system has been low, and Acala has a TVL of $53M at time of writing. Until earlier this month, the platform supported only five tokens for its DeFi operations — PancakeSwap, in comparison, supports more than eighty-one.
Interlay Integration Exploit
Interlay was one of the most anticipated integrations for Acala, building its flagship interBTC on Polkadot since 2020. It provides a wrapped Bitcoin solution to Polkadot, which allows holders to participate in DeFi and earn yield without selling their $BTC.
It was Acala’s faulty deployment of this incentive that led to the events over this weekend. The iBTC-aUSD pair went live on the platform at 22:41 UTC on Saturday, but a bug in the smart contract caused the liquidity pool to rapidly minted unbacked aUSD instead of LP tokens.
Per Acala’s post-mortem, sixteen wallets claimed a total of 3.022Bn aUSD erroneously generated by the protocol, with a further 4,299,119 remaining within.
Damage Control
At 01:17 UTC on Sunday, the Acala Network entered maintenance mode after an ‘urgent governance vote.’ This limited most functionality on the platform and, more crucially, completely disabled swapping or bridging-off assets.
This made recipients of unbacked aUSD (and everyone else) unable to transfer funds off-chain or otherwise cause more damage within the system from that point on; for this reason, some ninety-nine percent of the 3.022Bn error mint was contained on the protocol, per Acala’s report.
The Heisted 1%
However, some users were able to make it off-chain before the network shut down. Eight of sixteen unbacked aUSD claimants were able to bridge funds directly to Moonbeam, or exchange it for $DOT and $IBTC via Acala’s swap function before sending it to the respective chains.
Per the third trace report, 176,725 $DOT ($1.5M) escaped onto the Polkadot relay chain, with 41,999 ($355K) being sent to an exchange thereafter— likely for redemption. This amounts to $1.85M in damages.
So far, the Acala team have only completed tracing for $DOT outflows, but estimates put total damages at $2–$10M. There is currently a 5% reward for any of the eight wallet owners returning heisted funds.
Can Acala Prosecute?
The question now raised is what would happen if the owners of those wallets were to simply…not return the assets. ‘Code is law’ is often cited as a defense in DeFi exploits but there’s currently no existing legal precedent. To recap:
- Due to Acala bootstrapping faulty code, users that deposited into the iBTC-aUSD liquidity pool generated excess LP rewards in aUSD
- Of the sixteen that claimed those rewards, eight were able to make it off-chain at an estimated $1.6-$10M loss for the platform and its users.
For the purpose of prosecution, Acala can trace those users via IP address and/or the blockchain. They can also obtain exact identities via a KYC-enabled exchange.
But, since no one user managed to extract an incredible amount of funds, taking legal action won’t be simple nor swift. Further still, a legal case is almost certain to fall flat for any wallet holder living outside the anglosphere.
Conclusion
In the court of public opinion, the exploit is squarely Acala’s fault. Even more indicting is that they operate a canary network on Kusama so hacks and exploits don’t occur on the main parachain.
Though the $iBTC pool was almost completely drained, the platform is most likely still solvent, and, so long as funds remain in the ecosystem — i.e. on Polkadot, Moonbeam or Interlay — it’s likely governance action can be proposed for their return.
At this time, Acala Network’s operations have been paused for four days with longer to come, but community support appears strong.
New to trading? Try crypto trading bots or copy trading
