Cashio is a stablecoin project on the Solana blockchain that has been hacked for more than $50 million and it seems that investors might have lost a lot of their savings in the process. The CASH stablecoin, after the hack, lost all of its value and left investors wondering about the next steps.
Cashio hack explained
The Cashio hack drained around $52.8 million, ranking it among the biggest crypto hacks of all time. The hack was revealed as an infinite mint glitch that actually wasn’t explained properly by the team as seen in the tweet below. But to understand what happened, we will take a deeper dive into the whole incident.
Please do not mint any CASH. There is an infinite mint glitch.
We are investigating the issue and we believe we have found the root cause. Please withdraw your funds from pools. We will publish a postmortem ASAP.
— Cashio ($CASH) 💵 (@CashioApp) March 23, 2022
Cashio is a stablecoin project that is backed by USDT-USDC LP tokens and launched by a developer called 0xGhostChain. So, in order to mint CASH tokens, a user will just have to provide liquidity via USDC or USDT. However, things went south when a hacker found a vulnerability. The vulnerability was described by an award-winning ethical blockchain hacker group called Halborn.
The Cashio hack was made possible by missing validation code. While the smart contract included numerous checks designed to validate collateral deposits, two essential ones were missing, enabling a $52 million hack and the destruction of the stablecoin’s peg to the USD.
Halborn pointed out that Cashio was unaudited and as a result, the vulnerability in their protocol would’ve been detected if it had been properly audited by major platforms.
Saber steps in
Saber is a DEX whose founders had also backed the Cashio stablecoin application. As per the official postmortem released by Saber Labs, the members of the Saber community “have been voting on CASH pools, causing more capital to be locked into there than if the Saber team weren’t as involved.” The postmortem report from Saber was released 4 days after the hack and the community members who lost their money could not seek redemption because they didn’t have money to pay the users back.
We do not have the money to pay back depositors. If you are the hacker and are reading this, we hope you will consider returning the funds rather than donating them to charity: accounts with over $100k are often users’ life savings on leverage, and many of us will seriously be affected financially after this incident. We are willing to give $1M of USDC as a bounty if the funds are returned.
Saber’s VC speaks on the matter
ve-ian Macalinao, one of the founders of Saber Labs who actually backed Cashio commented on this event. He revealed that he had misjudged the security features of the platform and that he would only promote platforms that have been audited from now onwards.
1/ This hack is a disaster, and it’s my fault for endorsing the project so heavily. I did not audit Cashio as closely as I should have, and I should have brought it a team of auditors to look at it before putting my funds in. https://t.co/YoxzhB9SLi
— ve-ian Macalinao 🐮 (@simplyianm) March 23, 2022
The co-founder also revealed that Saber will be auditing all the open-source projects that they have backed in the past. Moreover, he also revealed that Cashio will continue to be worked upon by the team and that “they will come back much stronger from this, and I have no doubt that they will again become a foundational piece of the Saber ecosystem.”
As per Twitter user, @wireless_anon, the Cashio hacker confirmed that they will accept refund submissions and as a result, he created an open-source website for victims of the hack to make generating and saving message signatures as easy as possible.
Here is the website link that affected users can visit: https://cashio-refund.vercel.app/
The @CashioApp hacker just announced that they will accept refund submissions
I've created an open-source website for victims of the https://t.co/BFJpzZJlGU hack to make generating and saving message signatures as easy as possible.
— wireless anon (@wireless_anon) March 28, 2022
The hackers also released a message regarding the refund process. As per their message, refund will only be provided to those who held CASH direrctly and saber cash/usdc LP and saber cash/ust LP.
The inntention was only to take money from those who do not need it, not from those who do. will be using the eth gains to return more funds to those affected, even some accounts more than 100k. will not return funds to accounts that already receive refund.