link.png

ID:

cashio-22

Date:

Status:

Incident Count:

March 23, 2022

Verified

1

info.png
target.png
REKT

Contributor:

chain.png

zerofriction.io

KYC By:

KYC:

No

info.png

Audit By:

Audits:

Audits.finance Inc

Loss Amount:

50,000,000

info.png

Recovered:

-

Rewards:

Currency:

USD

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Data Sources:

Solana

Stablecoin

Assets

Contract Vulnerabilities

Extended Method:

Lack of input validation

info.png

Days in Operation:

317

(0.87 Years)

chain.png
chain.png
chain.png
chain.png
datasource.png

Cashio, a Solana-based stablecoin project, has been looted for millions after attackers leveraged an infinite mint glitch. Roughly $50 million of value has been drained from Cashio's protocol due to the exploit because Cashio didn't establish a root of trust for all of the accounts it used allowing the attacker to steal by forging a chain of fake accounts. Samczsun did a walkthru of the exploit.

The attacker left a note in the input data of their Ethereum transactions that "Account with less 100k have been returned. all other money will be donated to charity."

In order to mint new CASH, you need to deposit some collateral. This cross-program invocation (CPI) will transfer tokens from your account to the protocol's account, but only if the two accounts hold the same type of token. Otherwise, the token program will reject the transfer.
https://twitter.com/samczsun/status/1506578904764583940/photo/1

Here, the protocol validates that the crate_collateral_tokens account hold the right type of token by comparing it with the collateral account. It also verifies the collateral account shares the same token type as the saber_swap.arrow account.
https://twitter.com/samczsun/status/1506578906534404101/photo/1

Unfortunately, the mint field on the arrow account is never validated.
https://twitter.com/samczsun/status/1506578908207935492/photo/1

This means that ultimately, all of this validation is meaningless because there's no trusted root. The attacker just created fake accounts all the way down and then chained it all the way back up until they finally made a fake crate_collateral_tokens account.
https://twitter.com/samczsun/status/1506578909478875136/photo/1

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.