By Frederick Munawa, CoinDesk Aug 22, 2022
This week there was a $3B DeFi Exploit of Acala’s aUSD stablecoin. When the decentralized-finance platform Acala was attacked on Saturday, allowing the perpetrators to mint what was technically $3 billion worth of its aUSD stablecoins, a natural question to ask was: Didn’t Acala audit their code?
Yes, the Polkadot-based protocol certainly did. But the exploit involved a misconfiguration in one of Acala’s liquidity pools – the backbone of decentralized exchanges (DEXes), where cryptocurrencies are swapped according to a math equation instead of a conventional order book – which originate from another project entirely, the Honzon protocol. And that allowed 3.02 billion new aUSD stablecoins to be created, which drove their price down dramatically from their intended $1 each.
“We didn’t perform an exhaustive review of the Honzon protocol. We stated at the time that additional reviews were required to fully investigate issues we identified,” Nick Selby, vice president of the software assurance practice at Trail of Bits, said in an interview with CoinDesk. That company was one of several firms that audited Acala’s smart contracts last year.
In a statement to CoinDesk, Bryan Chen, co-founder and CTO of Acala, explained that multiple audits were performed with several top audit firms other than Trail of Bits. One such firm was Security Research Labs (SRLabs), a cybersecurity consultancy and research company.
“All code involved in the aUSD error mints was mature code that had been audited several times and also battle tested on Karura, our canary network on Kusama,” said Chen. (Kusama is an experimental development environment for Polkadot-related projects.)
Bette Chen, co-founder and CEO of Acala, also added some clarity to the situation by emphasizing that audits don’t detect parameter misconfigurations.
“A parameter configuration is not part of a code change. For example, when the liquidation ratio is changed, there is no new audit required; a governance vote can update parameters. The code itself, however, should have prevented the misconfiguration, which is not picked up by internal and external audits,” she said in a statement to CoinDesk.
In other words, the protocol code ought to have caught the error in the parameter configuration – but it didn’t.
Please read the full article here