Raw content extract from web search (WebFetch tool not available).
Cashio Hack — March 23, 2022
On March 23, 2022, the Solana-based stablecoin protocol Cashio fell victim to a sophisticated attack that exploited an infinite mint vulnerability in its smart contract. The attack began at 08:15 UTC, with Cashio issuing a warning at 09:59 UTC. The attacker stole over $52 million in tokens.
Technical Vulnerability
The contract checked that token types matched that of the saber_swap.arrow account, however there was no validation of the mint field within this account, allowing the attacker to create a fake saber_swap.arrow account to deposit worthless collateral. Because Cashio did not have a root of trust for the accounts it used, the hacker was able to forge a chain of fake accounts to mint 2 billion CASH tokens.
Impact
• The CASH stablecoin price plunged to ~$0.00005.
• Cashio's TVL dropped from $28.81M to $579,283.
• Over $52M in tokens stolen.
Notes
• Cashio was an unaudited project.
• An unofficial post-mortem was written by samczsun (Paradigm).