Recently the Acala protocol was attacked and the exploiter was able to print 1.2 billion of aUSD.
Fortunately, the Acala team reacted to the attack in a short time and stopped all the operations on the protocol. For now, the situation is still under research and discovering a solution.
The given attack has reminded everyone of some critical issues in parachains security, which should be considered by all the projects in the Polkadot and Kusama ecosystem.
Substrate runtime forkless updates
Unlike many blockchains, the Substrate development framework supports forkless upgrades to the runtime that is the core of the blockchain. Most blockchain projects require a hard fork of the code base to support the ongoing development of new features or enhancements to existing features.
Due to such forkless upgrades, most of them are not audited properly. Usually, projects complete audits only of the initial versions before the launch.
So, each pallet (a building block of any substrate chain) that can be used for forkless upgrades at any time should be also carefully audited.
Cross consensus message (XCM)
Polkadotβs architecture allows parachains to natively interoperate with each other, enabling cross-blockchain transfers of any type of data or asset.
There is another vulnerability. If any project connected to other ones via cross-blockchain transfers gets exploited, stolen funds can flow to other blockchains and create a lot of troubles for their ecosystem as well as for their liquidity.
Canary network testing
Many projects diminish the value of testing the new features and pools at the canary network. Initially, Kusama is the canary network and serves as a testing ground for the mainnet. Such a network allows the developers to test any new features and upgrades before going to mainnet.
So, the recent attack has demonstrated that parachains require more specific and deep security audits, considering substrate based chains features.
Moreover, due to the Polkadot parachains structure, a successful attack on one parachain can be dangerous to the other projects connected via cross consensus message format.
