Cashio (CASH), a Solana-native stablecoin, plummeted down by 98% in value in a matter of hours.
Soon after which, 0xghostchain, the developer who launched the decentralized money platform, took to Twitter to state that they are investigating the issues on CashioApp. Turns out, it was an “infinite mint glitch”, and users were warned against minting any CASH.
According to Security researcher Samczsun’s initial estimates, Cashio could have lost close to $50 million in the attack.
Just to reiterate, Cashio DAO came into existence some five months back to provide a yield-boost platform for CASH-paired stable liquidity providers (LPs).
Cashio allowed users to mint and burn (withdraw) the CASH stablecoin.
What was the Glitch?
Samczsun explained that the hackers created fake accounts for the rug pull. He noted, “Cashio didn’t establish a root of trust for all of the accounts it used, an attacker was able to steal approximately $50M by forging a chain of fake accounts.”
Generally, users will have to deposit collateral to mint new CASH. However, in this case, validation became “meaningless”. According to Samczsun, the cross-program invocation (CPI) will transfer tokens from one account to the protocol’s account, only if the two accounts hold the same type of token. Otherwise, the transfer is rejected.
However, the security researcher pointed out that due to a missing “trusted root,” the mint field on the arrow account was never validated. He noted, “The attacker just created fake accounts all the way down and then chained it all the way back up until they finally made a fake crate_collateral_tokens account.”
At the time of writing, Cashio $CASH TVL stands at $579,701 on Defillama.
What is noteworthy is that dApp attacks have become common lately, as interest in the sector peaks. A day before this incident, DeFiance Capital founder Arthur_0x also reportedly lost more than $1.5 million in a hot wallet attack. However, when it comes to Solana, it has come under some criticism in the past months for its lax security.
Despite that, the Ethereum-killer has managed to grow by onboarding new decentralized applications. Just today, decentralized exchange (DEX) Orca announced its new concentrated liquidity offering, Whirlpools, on the Solana ecosystem.
What do you think about this subject? Write to us and tell us!
Disclaimer
All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.
Source: https://beincrypto.com/solana-fake-account-exploit-on-cashio-how-it-happened/