Yet another decentralized finance (DeFi) protocol was hacked this week, with millions being drained. This time, the attack target was the Solana Cashio-based DeFi protocol.
According to platform DeFi Llama, the hacker drained around $28 million in assets from cashio’s liquidity pools.
However, the cryptocurrency security researcher known as samczsun said on Twitter that the damage was even worse. According to samczsun, Cashio App lost about $50 million, “based on a quick search.”
Stablecoin goes to zero
As a result of the attack, the project’s stablecoin, Cashio Dollar (CASH), went to zero. Before the breach, CASH cost about $1 – as it was paired with the US dollar. Now, after the hack, the digital currency that was supposed to be stable has dropped practically 100% to $0.00005800.
The project team commented on the flaw on its Twitter account on Wednesday (23).
Please do not mint any CASH. There is an infinite mint glitch.
We are investigating the issue and we believe we have found the root cause. Please withdraw your funds from pools. We will publish a postmortem ASAP.
— Cashio ($CASH) 💵 (@CashioApp) March 23, 2022
According to the project’s website, Cashio is a Solana-based DeFi app that allows users to mint the stablecoin. Cashio Dollar (CASH), launched in November 2021.
At cashio, all deposits are guaranteed by interest-bearing liquidity provider tokens. For example, one can provide liquidity with stablecoins like USDT and USDC to mint CASH.
In this incident, the hacker found a vulnerability that allowed them to mint an infinite supply of CASH without having to provide sufficient collateral.
According to Solscan data, the hacker minted 2 billion CASH stablecoins. He then converted the tokens into other assets, notably other stablecoins. The conversion was done through the decentralized exchange Saber.
After that, the Saber platform reported that it had paused its CASH liquidity pools.