Share this article
DeFi Platform Acala’s Stablecoin Falls 99% After Hackers Issue 1.3B Tokens
A bug in the protocol’s newly deployed iBTC-aUSD liquidity pool left the door wide open for hackers to exploit.
Updated May 11, 2023, 6:42 p.m. Published Aug 15, 2022, 8:52 a.m.
Polkadot-based decentralized finance (DeFi) platform Acala’s native stablecoin, aUSD, depegged on Sunday, plummeting 99% after hackers exploited a bug in a newly deployed liquidity pool to mint 1.28 billion tokens.
- Acala developers said the bug was caused by a misconfiguration of the iBTC/aUSD liquidity pool shortly after it went live on Sunday. A liquidity pool is a digital pile of cryptocurrency locked in a smart contract, which results in creating liquidity for faster transactions on decentralized exchanges (DEX) and DeFi protocols.
- After noticing the exploit, the Acala team disabled the transfer functionality of the “erroneously minted aUSD” remaining on the Acala parachain. Parachains refer to custom, project-specific blockchains that are integrated within the Polkadot and Kusama networks and can be customized for any number of use cases.
- A wallet believed to belong to the attacker still contains approximately 1.27 billion aUSD. Acala has asked white-hat hackers to return the stolen funds to Polkadot or Moonbeam addresses.
- On-chain sleuths have pointed out that the attacker who minted 1.28 billion aUSD was not the only person to take advantage of the bug – several other users allegedly stole thousands of dollars worth of DOT from the liquidity pool.
- The Twitter account @alice_und_bob estimated that the "damage" was $0 to $10 million, "likely around 1.6M USD with chance of recovery."
- Launched earlier this year, aUSD successfully held its soft peg to the U.S. dollar until the hack. After the attack, the price of aUSD plunged from roughly $1.03 per token to $0.009.
- Acala developers said Sunday night that would continue to trace the on-chain activity to resolve the error mint of aUSD and try to restore aUSD peg.
- Later on Monday, Acala community members created a proposal that would result in the return of all erroneously minted aUSD to the protocol and the tokens later being burnt.
- Acala did not return requests for comments at press time.
Read more: Acala, VCs Commit $250M for Polkadot DeFi Investments
STORY CONTINUES BELOW
Read more: Polkadot-Based Acala Raises $7M as DeFi Grabs Land on Another Blockchain
UPDATE (Aug. 15, 07:41 UTC): Adds clarifying information throughout.
UPDATE (Aug. 15, 13:10 UTC): Adds details about the community proposal in the seventh bullet.
UPDATE (Aug. 15, 13:10 UTC): Adds estimate of damage from Twitter user @alice_und_bob.
More For You
What to know:
- As of October 2025, GoPlus has generated $4.7M in total revenue across its product lines. The GoPlus App is the primary revenue driver, contributing $2.5M (approx. 53%), followed by the SafeToken Protocol at $1.7M.
- GoPlus Intelligence's Token Security API averaged 717 million monthly calls year-to-date in 2025 , with a peak of nearly 1 billion calls in February 2025. Total blockchain-level requests, including transaction simulations, averaged an additional 350 million per month.
- Since its January 2025 launch , the $GPS token has registered over $5B in total spot volume and $10B in derivatives volume in 2025. Monthly spot volume peaked in March 2025 at over $1.1B , while derivatives volume peaked the same month at over $4B.
More For You
ZKsync Lite to Shut Down in 2026 as Matter Labs Moves On
The company framed the move, happening in early 2026, as a planned sunset.
What to know:
- Matter Labs plans to deprecate ZKsync Lite, the first iteration of its Ethereum layer-2 network, the team said in a post on X over the weekend.
- The company framed the move, happening in early 2026, as a planned sunset for an early proof-of-concept that helped validate their zero-knowledge rollup design choices before newer systems went live.
Top Stories
