Solana Cashio Hack Loots $52.8M: Investigations Reveal Surprising Facts

Key Insights:

• Solana’s Cashio hack drained $52.8 million from the protocol.
• To prevent, protocols should be properly and thoroughly audited.
• Hacker left a message to return funds for accounts below 100K and donate the rest to charity.

Cashio (CASH), a native stablecoin of Solana, recently lost millions after hackers exploited an “infinite mint glitch.” The attackers drained a staggering $52.8 million from the protocol, following which the CASH stablecoin collapsed from $1 to $0.00005, which left the entire decentralized finance (DeFi) ecosystem appalled.

Initially, it was reported that Cashio’s protocol exploited cryptos equaling about $28 million. According to a security researcher Samczsun, the project lost around $50 million (based on quick skimming).

Another day, another Solana fake account exploit. This time, @CashioApp lost around $50M (based on a quick skim). How did this happen? pic.twitter.com/t7ThWL4zr1

— samczsun (@samczsun) March 23, 2022

With these estimates aside, crypto trading platform Bybit came up with a fresh investigation on the hack, discovering precisely $52.8 million of stolen funds.

“The exploited amount also far exceeded what most other publications reported. To elucidate, most publications who reported on this exploit seem to think that $28 million was drained from this hack,” the Bybit readings noted.

As a quick recap, CASH, the dollar-pegged stablecoin, is minted by depositing stable pair liquidity provider tokens (LP tokens), in this case, USDT and USDC pair in a 50:50 ratio on Solana’s decentralized exchange – Saber.

What Actually Happened? A to Z of the Hack

FXEmpire spoke to a team from Bybit comprising Derek Lim, head of crypto insights, Gabriel Foo, senior research analyst and Fathur Rahman, COO of SolanaFM, on the alarming exploit. Per their findings, the hacker first managed to mint “two billion CASH tokens” by using the perpetrator’s unknown tokens. But, how is this possible?

This was due to a flaw in Cashio’s codebase, says Lim. He added,

“Unfortunately, Cashio failed to put in place a root of trust for the accounts that it used. This rendered the validation process useless and enabled the hacker to forge a chain of fake accounts in order to mint the whopping 2 billion CASH token that he did.”

Furthermore, the hacker burnt part of the newly minted CASH tokens (2 billion) for the Saber USDT-USDC LP tokens. The hacker then swapped the LP pair tokens for $16.4 million USDC and $10.8 million USDT.

The Bybit investigations further found that the remaining CASH tokens were swapped out for $8.6 million UST and $17 million USDC through Saber. Finally, the hacker swapped $15.3 million in USDC and USDT after draining $52.8 million.

The hacker used the Jupiter liquidity aggregator on Solana to transfer the funds in 3 transactions to an Ethereum address through the Wormhole Bridge.

How To Prevent such Hacks? Possible Solutions

This isn’t the first time a DeFi protocol has been looted for millions; however, this is the first of its kind “infinite mint” glitch. Every time after an attack, HODLers are warned to keep their tokens safe.

To prevent such acts, the team suggested the protocols to ensure that they have been properly and thoroughly audited. He said that DApps should adopt certain Tradfi structures and those of the big tech companies. Talking to FXEmpire,

“In other words, a more stringent auditing process should be initiated.”

This can be achieved by mandatory tests on the devnet for internal checks, during the development phase of any DApps. Furthermore, once the team is ready to stage the product after all internal checks, audit companies and tech alfa groups must step in to clear any bugs, edge cases, etc.

When the beta version is ready, more experts should be brought in to do a final check before the app’s roll-out. Team consisting Foo and Rahman added,

“It is important that the teams, auditors, and alfa groups keep themselves only to the highest of standards and integrity – this is the part that we can never fully control and will always be an unknown variable to some extent.”

On the other hand, users can look into other vectors that are rather user-level and not targeted at the protocol. To prevent such attacks from the user side, the research team says,

“Educate comprehensively with regard to the workings of this space. there is no way around this.”

What was more interesting in Bybit’s findings was a hidden message embedded by the hacker in a particular transaction that has made the DeFi community rename the hacker as modern-day “Robin Hood.” The hacker wrote in a transaction,

“Account with less than 100K have been returned. All other money will be donated to charity.”

However, the hacker has kept up to the word on returning funds. Per the report, Lim and Bybit’s crypto insights team noted, 

“We have a whopping 10 pages worth of screenshotted transaction records detailing him sending out USDC to accounts with less than $100k (per his promise).”

It is still unknown if the “donations to charity” could imply funding Ukraine in the war against Russia, given the enormous amount of crypto donations pouring into Ukraine’s exchanges and wallets.

Also, one cannot blindly believe the hackers, and there is no guarantee that the hacker “would follow through with his proclamation.” When asked if this could anyway be related to the Ukraine-Russia war, Lim and his team said,

“Different hackers hack for very different reasons, and not every reason can be rationalized in ways that are logical to us.”