A decentralized finance (defi) protocol called Cashio was attacked by an “infinite glitch” exploit around 9:00 a.m. (UTC), the team said on Wednesday. Following the hack, statistics show the protocol’s total value locked (TVL) dropped from over $28 million to $579,701 and the project’s stablecoin shuddered from $1 per token to zero.
Cashio App Exploited With an Infinite Mint Glitch, Project’s Ecosystem Shudders
The Solana-based decentralized money project called Cashio App has been attacked by an “infinite glitch” exploit the development team detailed on Wednesday. “Please do not mint any CASH,” the team’s Twitter account wrote. “There is an infinite mint glitch. The root cause of the problem is being investigated. We ask that you withdraw all funds from the pools. We will publish a post mortem ASAP.” The Cashio team further asked people to “retweet for visibility.”
Samczsun (a Paradigm research partner) wrote an unofficial post mortem. “Another day, another Solana fake account exploit,” Samczsun tweeted. “This time, [Cashio App]Based on quick calculations, the loss was approximately $50M This is how it happened. In order to mint new CASH, you need to deposit some collateral,” the researcher remarked.
“This cross-program invocation (CPI) will transfer tokens from your account to the protocol’s account, but only if the two accounts hold the same type of token,” the research partner from Paradigm continued. “Otherwise, the token program will reject the transfer. Here, the protocol validates that the crate_collateral_tokens account hold the right type of token by comparing it with the collateral account. It also verifies the collateral account shares the same token type as the saber_swap.arrow account.”
Samczsun’s post mortem further notes:
The mint field of the Arrow account was never validated.
Cashio App’s TVL Drains, Stablecoin CASH Plummets to Zero
Data from defillama.com shows Cashio App’s TVL plummeted from $28.81 million to the current $579,283 TVL. This drop began on March 22nd, 2022 and small amounts of money are still being taken from the TVL. Furthermore, Cashio App has a stablecoin and it’s value is pegged to the U.S. dollar and since the attack, it has dropped from $1 in value to zero. CASH (Cashio) joins other stablecoins which have lost the $1 peg in the past.
Metrics indicate that there’s a total supply of 39,837,646 CASH, but the current number of coins in circulation is unknown, according to coingecko.com’s statistics. The CASH contract shows there’s a current CASH supply of around 1,999,702,768 at the time of writing. Furthermore, at the time of writing, two addresses “4ofEvMG” and “7K88AAb” hold approximately 1,142,189,082 CASH.
Do you have any thoughts about Cashio App becoming exploited through an infinite min glitch? Please comment below to let us know your thoughts on this topic.
Credits for the imageShutterstock. Pixabay. Wiki Commons
DisclaimerThis information is provided for educational purposes only. This article is not intended to be a solicitation or offer to sell or buy any product, service, or company. Bitcoin.com doesn’t offer investment, tax or legal advice. This article does not contain any information, products, or advice that can be used to cause or alleged result in any kind of damage.