Skip to content Skip to sidebar Skip to footer

Cashio, a stablecoin backed by Solana, lost $28 million in an attack

An attack on the Solana-based decentralized Cashio App has resulted in a loss of approximately $50 million in cryptocurrencies for the network. 

In order to create CASH stablecoins, users may utilize the Cashio DeFi software, which runs on the Solana blockchain. 

All deposits on Cashio are guaranteed by interest-bearing tokens issued by liquidity providers on the platform. 

It is possible to mint cash by providing liquidity, such as USDT and USDC. Because of a flaw that the hacker exploited, they were able to create an endless supply of cash.

In what ways was the platform abused?

Samczsun, a Paradigm employee, explained the vulnerability that led to the attack. In order to mint fresh CASH tokens, users must deposit a certain amount of collateral that falls within the cross-margin invocation. 

There is software that checks to see whether two accounts are holding tokens of the same kind on their balances. Tokens on both accounts are instantly rejected if the software finds out that they are the same.

According to Samczsun’s explanation, the correct asset validation method should be used on the sender’s account. 

There was no validation, however, for the activities of minting the new tokens. So, because the main function isn’t verified by the software, all of the processes mentioned above are made moot and ineffective.

As soon as the threat actor found the flaw in the contract code, he or she built up a chain of fraudulent accounts before creating a real account in the target’s name. 

In his explanation, Samczsun said that Cashio’s programming had a weakness that prevented the system from establishing a root of trust for all of its users. 

Hackers are increasingly targetting on DeFi Platforms

Recently, two decentralized financial platforms, Agave and Hundred Finance were the victims of a cyberattack. The hacker was successful in stealing funds worth $11 million in wrapped ETH, wrapped BTC, wrapped XDAI, Chainlink, USDC, and Gnosis, all of which were wrapped in ETH.