NewsDeFi

Solana Stablecoin Project Cashio Plummets to Zero After Multi-Million Dollar Hack

Cashio, a Solana-based stablecoin project, has been looted for millions after attackers leveraged an “infinite mint glitch.”

2 min read
Some of these attacks demonstrated the growing skills of hackers. Image: Shutterstock

The price of Cashio's dollar-pegged stablecoin CASH has fallen from $1 to $0.00005 after an "infinite mint glitch" enabled attackers to mint tokens without providing collateral.

Cashio developer 0xGhostChain took to Twitter to warn people "not to mint any CASH," adding that the team "are investigating the issue and we believe we have found the root cause. Please withdraw your funds from pools. We will publish a postmortem ASAP."

According to DeFiLlama, roughly $28 million of value has been drained from Cashio's protocol due to the exploit. Still, Samczsun, a research partner at Web3 investment firm Paradigm, shared a bleaker picture on Twitter today. 

The researcher wrote: "Another day, another Solana fake account exploit. This time, Cashio App lost around $50M (based on a quick skim). How did this happen?"

The project has not responded to Decrypt to confirm the scale of the attack.

Cashio Dollar is a Solana-native stablecoin launched in November 2021. 

Typically, anyone can mint CASH by first depositing Saber USDT-USDC liquidity provider (LP) tokens. 

Saber is a decentralized exchange on Solana, akin to Uniswap. Whenever users deposit tokens into liquidity pools on Saber, they receive LP tokens representing a token of their deposit.

Cashio hack not without precedent

This isn't the first time a DeFi protocol has been looted for millions through an "infinite mint" glitch. 

In December 2020, a group of DeFi developers used a similar exploit on the DeFi insurance project Cover and minted fake tokens to provide liquidity to Balancer

The attackers then redeemed the staked tokens for COVER tokens, which were then sold on exchanges repeatedly. 

The total damage for the attack was $3 million, which was allegedly sent back in full, along with a note attached to the transaction: "Next time, take care of your own shit."

Last summer, attackers ran the price of SafeDollar's eponymous dollar-pegged stablecoin to zero after looting about $250,000 worth of stablecoins from the platform's liquidity pools, then fenced the stolen coins on PolyDex.

Stay on top of crypto news, get daily updates in your inbox.