Solana-based stablecoin project Cashio crashes to zero after $28M exploit

  • Cashio was exploited by attackers through an infinite mint glitch which allowed them to mint CASH tokens infinitely without depositing any collateral.
  • The price has crashed from $1 to $0.00005 as the development team says that it’s looking into the exploit and will issue a post mortem soon.

A stablecoin project built on the Solana blockchain network has become the latest crypto project to be exploited and lose millions of dollars. Cashio was attacked today and lost $28 million to the attackers, with the price of its native token crashing to zero.

Just hours ago, Cashio announced on Twitter that it had suffered an infinite mint glitch and asked its users not to mint any more CASH, its native token. The developers behind the project claimed to be investigating the issue and even said they had found the root cause (although they have yet to make the details public).

“Please withdraw your funds from pools,” Cashio urged its users.

An infinite mint glitch is when an attacker exploits a crypto project and is able to continually mint new tokens without placing the required collateral. On Cashio, users have to place the collateral in liquidity pool (LP) tokens issued by Saber, a decentralized exchange built on Solana, kind of like the ecosystem’s Uniswap. One gets the LP tokens from Saber after locking USDT and/or USDC tokens.

Having exploited the infinite mint glitch, the attackers were able to mint about 2 billion CASH tokens without placing any collateral, blockchain data shows. Data from DeFiLlama further shows that the total value locked on Cashio dropped by $28 million after the exploit, giving a rough estimation of the value of the exploit. TVL on the protocol currently stands at a mere $580,000.

The price of the native CASH stablecoin token took a massive blow following the attack. According to data by CoinGecko, the price dropped by 100 percent from $1 to $0.00005.

Samczsun, a research partner at crypto investment firm Paradigm shed more light on the attack on Twitter, describing it as “another Solana fake account exploit.”

According to him, the protocol failed from the beginning in its structure by failing to have a root of trust for all the accounts it used. This allowed the attacker to forge a chain of fake accounts and exploit the protocol for millions of dollars.

He stated:

This means that ultimately, all of this validation is meaningless because there’s no trusted root. The attacker just created fake accounts all the way down and then chained it all the way back up until they finally made a fake crate_collateral_tokens account.