Misconfiguration in the Acala stablecoin project allows attacker to steal 1.2 billion aUSD

A misconfiguration in a newly-deployed liquidity pool allowed an attacker to mint 1.2 billion aUSD, a stablecoin built on the Polkadot network. The exploit caused aUSD to lose its USD peg, initially dropping as low as $0.60 and hovering around $0.90.

Acala paused the protocol shortly after the attack, and disabled the transfer functionality of the stolen aUSD and of Acala-based tokens the attacker had swapped for some of the aUSD. It's important to note that the attacker could not earn a profit anywhere near $1.2 billion USD from the erroneous creation of new, unbacked tokens—they likely made off with around $1.6 million. Acala subsequently burned most of the new tokens, which helped the aUSD token return to between $0.90 and $0.94—much closer to its intended peg.