Join today to get full access to our basics to advance crypto courses, exclusive insights, research & analysis.
Crime

Here’s how Solana’s stablecoin project Cashio lost its value to a major hack

28 Mar 2022 : 12:57
4 min read
  • Cashio, a stablecoin platform on Solana, has been has hacked for $52.8 million
  • Saber Labs, who backed the protocol, revealed that they won't be able to refund investors
  • Cashion was unaudited and there was a missing validation code that caused the hack

Cashio is a stablecoin project on the Solana blockchain that has been hacked for more than $50 million and it seems that investors might have lost a lot of their savings in the process. The CASH stablecoin, after the hack, lost all of its value and left investors wondering about the next steps.

Cashio hack explained

The Cashio hack drained around $52.8 million, ranking it among the biggest crypto hacks of all time. The hack was revealed as an infinite mint glitch that actually wasn’t explained properly by the team as seen in the tweet below. But to understand what happened, we will take a deeper dive into the whole incident. 

Cashio is a stablecoin project that is backed by USDT-USDC LP tokens and launched by a developer called 0xGhostChain. So, in order to mint CASH tokens, a user will just have to provide liquidity via USDC or USDT. However, things went south when a hacker found a vulnerability. The vulnerability was described by an award-winning ethical blockchain hacker group called Halborn.

The Cashio hack was made possible by missing validation code. While the smart contract included numerous checks designed to validate collateral deposits, two essential ones were missing, enabling a $52 million hack and the destruction of the stablecoin’s peg to the USD.

Halborn pointed out that Cashio was unaudited and as a result, the vulnerability in their protocol would’ve been detected if it had been properly audited by major platforms. 

Saber steps in

Saber is a DEX whose founders had also backed the Cashio stablecoin application. As per the official postmortem released by Saber Labs, the members of the Saber community “have been voting on CASH pools, causing more capital to be locked into there than if the Saber team weren’t as involved.” The postmortem report from Saber was released 4 days after the hack and the community members who lost their money could not seek redemption because they didn’t have money to pay the users back. 

We do not have the money to pay back depositors. If you are the hacker and are reading this, we hope you will consider returning the funds rather than donating them to charity: accounts with over $100k are often users’ life savings on leverage, and many of us will seriously be affected financially after this incident. We are willing to give $1M of USDC as a bounty if the funds are returned. 

Saber’s VC speaks on the matter

ve-ian Macalinao, one of the founders of Saber Labs who actually backed Cashio commented on this event. He revealed that he had misjudged the security features of the platform and that he would only promote platforms that have been audited from now onwards. 

The co-founder also revealed that Saber will be auditing all the open-source projects that they have backed in the past. Moreover, he also revealed that Cashio will continue to be worked upon by the team and that “they will come back much stronger from this, and I have no doubt that they will again become a foundational piece of the Saber ecosystem.”

Update

As per Twitter user, @wireless_anon, the Cashio hacker confirmed that they will accept refund submissions and as a result, he created an open-source website for victims of the hack to make generating and saving message signatures as easy as possible.

Here is the website link that affected users can visit: https://cashio-refund.vercel.app/

The hackers also released a message regarding the refund process. As per their message, refund will only be provided to those who held CASH direrctly and saber cash/usdc LP and saber cash/ust LP.

The inntention was only to take money from those who do not need it, not from those who do. will be using the eth gains to return more funds to those affected, even some accounts more than 100k. will not return funds to accounts that already receive refund.


About Author

Parth

More articles by this author

A writer, an author, a freelancer with writings in over 50+ niches, an editor, a proofreader, a music enthusiast, a YouTuber, a podcaster, and someone, who puts consistent efforts each day to make sure his creativity is noticed. What's more? He loves cryptocurrencies.

Post a Comment