Following an assault on one of the platform’s liquidity pools, a new type of stablecoin (aUSD) developed on a platform (Acala) built on a blockchain (Polkadot) plummeted from its $1 peg to $0.009. If the phrases that follow “attack on” appear unusually particular, that’s because they are.
The iBTC/aUSD liquidity pool built on top of Acala, rather than Acala itself, was directly targeted, hacked, and thwarted. The exploit was effective, and bad actors were able to generate billions of aUSD for themselves. This infusion of new aUSD devastated the stablecoin’s price only through massive supply dilution.
The aUSD has now rebounded, but only after the Acala community chose to destroy the billions of aUSD that were incorrectly produced. Let’s ignore that the minted aUSD wasn’t wrongly minted, and the requirement for a centralised entity to intervene to correct this error, and instead consider how cryptocurrency systems are only as safe as what’s built atop them.
The recently passed community governance referendum has now been executed.
1,292,860,248 total erroneously minted aUSD have been returned to the honzon protocol and burned.
Details in thread below ⤵
— Acala (@AcalaNetwork) August 16, 2022
Break everything in quick moves.
aUSD isn’t the first cryptocurrency to be cracked or hacked (for example, Ronin for $625 million and Wormhole for $326 million) – it’s simply the flavour of the week. But let’s be clear: aUSD didn’t necessarily cease operating, and the attackers didn’t climb into a building to physically hack into the mainframe.
Instead, aUSD performed as expected. The liquidity pool was managed by flawed code, and that buggy code allowed attackers to print billions of aUSD.
This is similar to the other two cases, with the term “exploit” used to describe the assaults. We should do the same here, because exploit, rather than hack, more correctly describes taking advantage of badly written code.
Of course, exploits aren’t limited to protocols you’ve never heard of. Polkadot, for example, is the foundation of Acala. Polkadot’s native currency, DOT, is the 11th most valued cryptocurrency, but Polkadot is not like Ethereum. Except that Ethereum had a vulnerability in 2016 called “The DAO Attack,” causing a messy chain split and a loss of reputation.
This is useful ammunition for boomer Bitcoin devs who are adamant about not altering anything about Bitcoin for fear of breaking the protocol. I’m not here to defend the halting of new Bitcoin or other cryptocurrency protocol development, but rather to provide some colour as a caution given how simple it is to draw a link between Silicon Valley tech corporations and crypto.
The Silicon Valley tech culture is (was?) “move fast and break things,” but the stakes are just higher for cryptocurrency. If a Salesforce developer’s bug negatively impacts a customer’s experience, fixing the bug simply costs time to remedy the error (there may be a reputational blow, but a firm can get through a few mistakes a year without trouble).
Not so in the crypto world. If a problem is introduced into a cryptosystem via a new flashy product, layer, smart contract, or whatever, and is eventually exploited, the harm might be widespread and irrevocable. Things should be constructed atop crypto protocols, and the protocols themselves should be upgraded with caution.
It’s OK to move quickly and destroy everything unless you don’t want to break it.