Solana-Based Cashio App Hit With an ‘Infinite Mint Glitch,’ CASH Stablecoin Drops to Zero – Defi Bitcoin News

A decentralized finance (defi) protocol called Cashio was attacked by an “infinite glitch” exploit around 9:00 a.m. (UTC), the team said on Wednesday. Following the hack, statistics show the protocol’s total value locked (TVL) dropped from over $28 million to $579,701 and the project’s stablecoin shuddered from $1 per token to zero.

Cashio App Exploited With an Infinite Mint Glitch, Project’s Ecosystem Shudders

The Solana-based decentralized money project called Cashio App has been attacked by an “infinite glitch” exploit the development team detailed on Wednesday. “Please do not mint any CASH,” the team’s Twitter account wrote. “There is an infinite mint glitch. We are investigating the issue and we believe we have found the root cause. Please withdraw your funds from pools. We will publish a post mortem ASAP.” The Cashio team further asked people to “retweet for visibility.”

An unofficial post mortem was written by Samczsun, a research partner from Paradigm. “Another day, another Solana fake account exploit,” Samczsun tweeted. “This time, [Cashio App] lost around $50M (based on a quick skim). How did this happen? In order to mint new CASH, you need to deposit some collateral,” the researcher remarked.

“This cross-program invocation (CPI) will transfer tokens from your account to the protocol’s account, but only if the two accounts hold the same type of token,” the research partner from Paradigm continued. “Otherwise, the token program will reject the transfer. Here, the protocol validates that the crate_collateral_tokens account hold the right type of token by comparing it with the collateral account. It also verifies the collateral account shares the same token type as the saber_swap.arrow account.”

Samczsun’s post mortem further notes:

Unfortunately, the mint field on the arrow account is never validated.

Cashio App’s TVL Drains, Stablecoin CASH Plummets to Zero

Data from defillama.com shows Cashio App’s TVL plummeted from $28.81 million to the current $579,283 TVL. The drop started on March 22, 2022, and currently, small fractions of funds continue to be drained from the TVL. Furthermore, Cashio App has a stablecoin and it’s value is pegged to the U.S. dollar and since the attack, it has dropped from $1 in value to zero. Cashio dollar (CASH) now joins a number of stablecoins over the years that failed to hold the $1 peg.

Metrics indicate that there’s a total supply of 39,837,646 CASH, but the current number of coins in circulation is unknown, according to coingecko.com’s statistics. The CASH contract shows there’s a current CASH supply of around 1,999,702,768 at the time of writing. Furthermore, at the time of writing, two addresses “4ofEvMG” and “7K88AAb” hold approximately 1,142,189,082 CASH.

Tags in this story
Cash, Cash stablecoin, Cashio, Cashio App, Cashio Apps TVL, Cashio dollar, Cashio dollar (CASH), coingecko.coms statistics, decentralized finance, DeFi, defi app, Defi protocol, defillama.com, post mortem, protocol, researcher, Samczsun, Samczsun post mortem, Stablecoin

What do you think about Cashio App getting exploited by an infinite mint glitch? Let us know what you think about this subject in the comments section below.

Jamie Redman

Jamie Redman is the News Lead at Bitcoin.com News and a financial tech journalist living in Florida. Redman has been an active member of the cryptocurrency community since 2011. He has a passion for Bitcoin, open-source code, and decentralized applications. Since September 2015, Redman has written more than 5,000 articles for Bitcoin.com News about the disruptive protocols emerging today.




Image Credits: Shutterstock, Pixabay, Wiki Commons

Disclaimer: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, or a recommendation or endorsement of any products, services, or companies. Bitcoin.com does not provide investment, tax, legal, or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article.

(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); js.id = id;
js.src=”https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v3.2″;
fjs.parentNode.insertBefore(js, fjs);
}(document, ‘script’, ‘facebook-jssdk’));