CashioApp (CASH), a Solana-based algorithmic stablecoin, has suffered a security breach. The hacker made away with an estimated $50 million, effectively crashing the stablecoin’s value to $0 in the hours following the exploit.
Please do not mint any CASH. There is an infinite mint glitch.
We are investigating the issue and we believe we have found the root cause. Please withdraw your funds from pools. We will publish a postmortem ASAP.
— Cashio ($CASH) 💵 (@CashioApp) March 23, 2022
Launched in November 2021 by anonymous developer 0xGhostChain, CashioApp is a stablecoin protocol built on the Solana blockchain. Anyone can mint the $CASH stablecoin by depositing USDT-USDC liquidity provider tokens obtained from partner protocol Saber.
According to an update from security researcher Samczsun, the latest exploit exploited a faulty development approach by the CashioApp team. The project’s developers did not establish a so-called “root of trust,” method to validate the accounts (addresses) used to manage its minting process.
The vulnerability allowed the hacker to create fake accounts that were in turn used to trick the CashioApp protocol into an “infinite mint glitch.” This glitch allowed the hacker to mint $CASH tokens without depositing the required collateral.
The attacker subsequently sold $CASH in exchange for other assets on Solana, before bridging them back to the Ethereum network through Wormhole. At the time of writing, the associated Ethereum address holds a $48 million ETH balance.
CashioApp Hacker to Reimburse Poor Victims
In a rare development, the mastermind behind the CashioApp exploit will reimburse certain users affected by the breach. The hacker confirmed that they had reimbursed users with less than $100,000 balance deposited in CashioApp before the exploit.
However, the rest of the stolen amount will be “donated to charity,” claimed the hacker in an encrypted message.
(Source: Etherscan)
This is notably the second high-profile involving a Solana-based protocol. Last month, cross-chain bridge service Wormhole suffered a $318 million exploit, although the protocol’s backers swiftly made users whole in the aftermath.