A decentralized finance (defi) protocol called Cashio was attacked by an “infinite glitch” exploit around 9:00 a.m. (UTC), the team said on Wednesday. Following the hack, statistics show the protocol’s total value locked (TVL) dropped from over $28 million to $579,701 and the project’s stablecoin shuddered from $1 per token to zero.
Cashio App Exploited With an Infinite Mint Glitch, Project’s Ecosystem Shudders
The Solana-based decentralized money project called Cashio App has been attacked by an “infinite glitch” exploit the development team detailed on Wednesday. “Please do not mint any CASH,” the team’s Twitter account wrote. “There is an infinite mint glitch. We are investigating the issue and we believe we have found the root cause. Please withdraw your funds from pools. We will publish a post mortem ASAP.” The Cashio team further asked people to “retweet for visibility.” An unofficial post mortem was written by Samczsun, a research partner from Paradigm. “Another day, another Solana fake account exploit,” Samczsun tweeted. “This time, [Cashio App] lost around $50M (based on a quick skim). How did this happen? In order to mint new CASH, you need to deposit some collateral,” the researcher remarked. “This cross-program invocation (CPI) will transfer tokens from your account to the protocol’s account, but only if the two accounts hold the same type of token,” the research partner from Paradigm continued. “Otherwise, the token program will reject the transfer. Here, the protocol validates that the crate_collateral_tokens account hold the right type of token by comparing it with the collateral account. It also verifies the collateral account shares the same token type as the saber_swap.arrow account.” Samczsun’s post mortem further notes:Unfortunately, the mint field on the arrow account is never validated.
+ There are no comments
Add yours