Solana-Based Cashio App Hit With an ‘Infinite Mint Glitch,’ CASH Stablecoin Drops to Zero

A decentralized finance (defi) protocol called Cashio was attacked by an “infinite glitch” exploit around 9:00 a.m. (UTC), the team said on Wednesday. Following the hack, statistics show the protocol’s total value locked (TVL) dropped from over $28 million to $579,701 and the project’s stablecoin shuddered from $1 per token to zero.

The Solana-based decentralized money project called Cashio App has been attacked by an “infinite glitch” exploit the development team detailed on Wednesday. “Please do not mint any CASH,” the team’s Twitter account wrote. “There is an infinite mint glitch. We are investigating the issue and we believe we have found the root cause. Please withdraw your funds from pools. We will publish a post mortem ASAP.” The Cashio team further asked people to “retweet for visibility.”

An unofficial post mortem was written by Samczsun, a research partner from Paradigm. “Another day, another Solana fake account exploit,” Samczsun tweeted. “This time, [Cashio App] lost around $50M (based on a quick skim). How did this happen? In order to mint new CASH, you need to deposit some collateral,” the researcher remarked.

“This cross-program invocation (CPI) will transfer tokens from your account to the protocol’s account, but only if the two accounts hold the same type of token,” the research partner from Paradigm continued. “Otherwise, the token program will reject the transfer. Here, the protocol validates that the crate_collateral_tokens account hold the right type of token by comparing it with the collateral account. It also verifies the collateral account shares the same token type as the saber_swap.arrow account.”

Samczsun’s post mortem further notes:

Unfortunately, the mint field on the arrow account is never validated.

Data from defillama.com shows Cashio App’s TVL plummeted from $28.81 million to the current $579,283 TVL. The drop started on March 22, 2022, and currently, small fractions of funds continue to be drained from the TVL. Furthermore, Cashio App has a stablecoin and it’s value is pegged to the U.S. dollar and since the attack, it has dropped from $1 in value to zero. Cashio dollar (CASH) now joins a number of stablecoins over the years that failed to hold the $1 peg.

Metrics indicate that there’s a total supply of 39,837,646 CASH, but the current number of coins in circulation is unknown, according to coingecko.com’s statistics. The CASH contract shows there’s a current CASH supply of around 1,999,702,768 at the time of writing. Furthermore, at the time of writing, two addresses “4ofEvMG” and “7K88AAb” hold approximately 1,142,189,082 CASH.

What do you think about Cashio App getting exploited by an infinite mint glitch? Let us know what you think about this subject in the comments section below.