Cashio (CASH), a Solana-native stablecoin, plummeted down by 98% in in a matter of hours.
Soon after which, 0xghostchain, the developer who launched the decentralized money platform, took to Twitter to state that they are investigating the issues on CashioApp. Turns out, it was an “infinite mint glitch”, and users were warned against minting any CASH.
Please do not mint any CASH. There is an infinite mint glitch.
We are investigating the issue and we believe we have found the root cause. Please withdraw your funds from pools. We will publish a postmortem ASAP.
— Cashio ($CASH) ?? (@CashioApp) March 23, 2022
According to Security researcher Samczsun’s initial estimates, Cashio could have lost close to $50 million in the attack.
Another day, another fake account exploit. This time, @CashioApp lost around $50M (based on a quick skim). How did this happen? pic.twitter.com/t7ThWL4zr1
— samczsun (@samczsun) March 23, 2022
Just to reiterate, Cashio came into existence some five months back to provide a yield-boost platform for CASH-paired stable liquidity providers (LPs).
Cashio allowed users to mint and burn (withdraw) the CASH stablecoin.
What was the Glitch?
Samczsun explained that the hackers created fake accounts for the rug pull. He noted, “Cashio didn’t establish a root of trust for all of the accounts it used, an attacker was able to steal approximately $50M by forging a chain of fake accounts.”
Generally, users will have to deposit collateral to mint new CASH. However, in this case, validation became “meaningless”. According to Samczsun, the cross-program invocation (CPI) will transfer tokens from one account to the protocol’s account, only if the two accounts hold the same type of token. Otherwise, the transfer is rejected.
However, the security researcher pointed out that due to a missing “trusted root,” the mint field on the arrow account was never validated. He noted, “The attacker just created fake accounts all the way down and then chained it all the way back up until they finally made a fake crate_collateral_tokens account.”
At the time of writing, Cashio $CASH TVL stands at $579,701 on Defillama.
What is noteworthy is that dApp attacks have become common lately, as interest in the sector peaks. A day before this incident, DeFiance Capital founder Arthur_0x also reportedly lost more than $1.5 million in a hot attack. However, when it comes to Solana, it has come under some criticism in the past months for its lax security.
Solana security hole needs fixing asap?
Seems their consensus proceeds with only 33% of the nodes
Hard math proofs show you need 66%+ for safety. No ifs no buts
Possibilities: 1) is insecure, 2) is centralized, or 3) they've broken Computer Science (unlikely) pic.twitter.com/yqfW3QnfeK
— dom.icp ? (@dominic_w) February 3, 2022
Despite that, the Ethereum-killer has managed to grow by onboarding new decentralized applications. Just today, decentralized exchange (DEX) Orca announced its new concentrated liquidity offering, Whirlpools, on the Solana ecosystem.
