By Tim Hakki
2 min read
The price of Cashio's dollar-pegged stablecoin CASH has fallen from $1 to $0.00005 after an "infinite mint glitch" enabled attackers to mint tokens without providing collateral.
Cashio developer 0xGhostChain took to Twitter to warn people "not to mint any CASH," adding that the team "are investigating the issue and we believe we have found the root cause. Please withdraw your funds from pools. We will publish a postmortem ASAP."
According to DeFiLlama, roughly $28 million of value has been drained from Cashio's protocol due to the exploit. Still, Samczsun, a research partner at Web3 investment firm Paradigm, shared a bleaker picture on Twitter today.
The researcher wrote: "Another day, another Solana fake account exploit. This time, Cashio App lost around $50M (based on a quick skim). How did this happen?"
The project has not responded to Decrypt to confirm the scale of the attack.
Cashio Dollar is a Solana-native stablecoin launched in November 2021.
Typically, anyone can mint CASH by first depositing Saber USDT-USDC liquidity provider (LP) tokens.
Saber is a decentralized exchange on Solana, akin to Uniswap. Whenever users deposit tokens into liquidity pools on Saber, they receive LP tokens representing a token of their deposit.
This isn't the first time a DeFi protocol has been looted for millions through an "infinite mint" glitch.
In December 2020, a group of DeFi developers used a similar exploit on the DeFi insurance project Cover and minted fake tokens to provide liquidity to Balancer.
The attackers then redeemed the staked tokens for COVER tokens, which were then sold on exchanges repeatedly.
The total damage for the attack was $3 million, which was allegedly sent back in full, along with a note attached to the transaction: "Next time, take care of your own shit."
Last summer, attackers ran the price of SafeDollar's eponymous dollar-pegged stablecoin to zero after looting about $250,000 worth of stablecoins from the platform's liquidity pools, then fenced the stolen coins on PolyDex.
Decrypt-a-cookie
This website or its third-party tools use cookies. Cookie policy By clicking the accept button, you agree to the use of cookies.