Attackers exploited an “unlimited mint bug” to rob Cashio, a Solana-based stablecoin project, off millions of dollars.
After an “unlimited mint flaw” allowed attackers to manufacture tokens without providing collateral, the price of Cashio’s dollar-pegged stablecoin CASH dropped drastically from $1 to $0.00005.
oxGhostChain, a Cashio developer, took to Twitter to offer a warning “”We believe we have uncovered the root problem,” the team said, adding that they are investigating the issue.
“Please take your money out of the pools. A postmortem will be published as soon as possible”, tweeted oxGhostChain.
According to a report, the hack has drained around $28 million from Cashio’s protocol.
Nonetheless, Samczsun, a research partner at Web3 investment company Paradigm, painted a bleaker picture today on Twitter.
According to the researcher, “Another day, another Solana phishing scam. Cashio App lost roughly $50 million this time (based on a quick skim). What caused this to happen?”
The project has not responded to any request for confirmation of how much they actually lost.
Cashio Dollar is a stablecoin based on Solana that was launched in November 2021.
Anyone can literally create CASH by depositing Saber USDT-USDC liquidity provider (LP) tokens first.
Saber is a decentralized Solana exchange similar to Uniswap.
Users who deposit tokens into Saber’s liquidity pools earn LP tokens, which represent a token of their deposit.
Cashio theft not actually the first
This isn’t the first time that a DeFi protocol has been plundered for millions of dollars thanks to a “infinite mint” bug.
A group of DeFi engineers used a similar vulnerability on the DeFi insurance project Cover in December 2020, generating bogus tokens to supply liquidity to Balancer.
The attackers then exchanged the staked tokens for COVER tokens, which they sold repeatedly on exchanges.
The overall loss from the hack was $3 million, which was reportedly returned in full, along with a letter reading, “Next time, take care of your own shit.”
A similar story happened to SafeDollar last summer after hackers stole around $250,000 worth of stablecoins from the platform’s liquidity pools, driving the price of SafeDollar’s eponymous dollar-pegged stablecoin to zero, and then fenced the stolen coins on PolyDex.