The decentralised finance (defi) protocol named Cashio was targeted by a “infinite glitch” vulnerability, according to the researchers. The protocol’s total value locked (TVL) dropped from nearly $28 million to $579,701 following the attack, and the project’s stablecoin trembled from $1 per token to $0.
The Cashio App Has Been Exploited With an Infinite Mint Glitch, Causing the Project’s Ecosystem to Shiver
Cashio App, a decentralised money project located in Solana, was hit by a “infinite glitch” issue, according to the development team on Wednesday. The team’s Twitter account stated, “Please do not mint any CASH.” “There’s a glitch with endless mint.” We’re looking into the problem and believe we’ve discovered the source. Please take your money out of the pools. “A post mortem will be published as soon as possible.” People were also encouraged to “retweet for visibility,” according to the Cashio crew.
Samczsun, a Paradigm research partner, produced an unofficial post mortem. Samczsun tweeted, “Another day, another Solana false account exploit.” “[Cashio App] lost roughly $50 million this time” (based on a quick skim). What caused this to happen? “You need to deposit some collateral in order to manufacture fresh CASH,” the researcher observed.
“This cross-program invocation (CPI) will move tokens from your account to the protocol’s account, but only if both accounts possess the same sort of token,” continued the Paradigm research partner. “Otherwise, the transfer will be rejected by the token software.” By comparing the crate collateral tokens account to the collateral account, the protocol verifies that the crate collateral tokens account holds the correct type of token. It also confirms that the collateral account and the saber swap.arrow account have the same token type.”
In his post mortem, Samczsun adds:
Regrettably, the arrow account’s mint field is never validated.
The TVL in the Cashio App is depleted, and the stablecoin CASH is at zero.
Cashio App’s TVL has dropped from $28.81 million to $579,283 TVL, according to data from defillama.com. The decline began on March 22, 2022, and little amounts of money are still being drained from the TVL. Furthermore, Cashio App has a stablecoin whose value is tethered to the US dollar, and its value has decreased from $1 to zero since the hack. Cashio dollar (CASH) has now joined a long list of stablecoins that have failed to maintain the $1 peg.
According to coingecko.com’s data, there is a total supply of 39,837,646 CASH, but the current amount of coins in circulation is unknown. At the time of writing, the CASH contract shows a current CASH supply of roughly 1,999,702,768. Furthermore, two addresses “4ofEvMG” and “7K88AAb” have about 1,142,189,082 CASH at the time of writing.
Disclaimer: These are the writer’s opinions and should not be considered investment advice. Readers should do their own research.