Key Takeaways
- The Solana stablecoin protocol cashio suffered an “infinite mint glitch” exploit.
- A hacker drained millions of dollars from the protocol and its CASH stablecoin collapsed.
- Crypto Briefing has found several pieces of evidence that suggest the attacker has previously operated under the pseudonym Ariusuha to execute multiple rug pulls in the NFT space.
Share this article
The Solana stablecoin protocol cashio has suffered an exploit leading to a complete collapse of its flagship stablecoin, CASH.
cashio Hacked for Millions
cashio, a stablecoin protocol on Solana, has suffered a major exploit.
Please do not mint any CASH. There is an infinite mint glitch.
We are investigating the issue and we believe we have found the root cause. Please withdraw your funds from pools. We will publish a postmortem ASAP.
— Cashio ($CASH) 💵 (@CashioApp) March 23, 2022
The cashio team announced the incident on Twitter early Wednesday. “Please do not mint any CASH,” the team wrote. “There is an infinite glitch.” It also said it was investigating the issue and had found the likely root cause.
cashio is a Solana-based DeFi application that lets users mint CASH stablecoins. On cashio, all deposits are backed by interest-bearing liquidity provider tokens. For example, someone can provide liquidity with USDT and USDC to mint CASH. In this incident, the hacker found a vulnerability that allowed them to mint an infinite supply CASH without having the sufficient backing.
According to data from Solscan, the attacker minted two billion CASH stablecoins and then swapped them for other paired assets (mostly other stablecoins) via the decentralized exchange Saber. Per Defi Llama data, the hacker drained about $28 million worth of liquidity from the exchange. Saber posted an update announcing that it had paused its CASH liquidity pools following the incident.
As a result of the exploit, CASH, whose value is supposed to be pegged to the U.S. dollar, has completely collapsed.
While the precise extent of the damage from the attack is still officially unknown, the renowned crypto security researcher known as samczsun on Twitter said that the losses amounted to about $50 million based on their “quick skim,” of the on-chain data.
Update: Upon further investigation, Crypto Briefing has found that the person behind the cashio attack could be linked to multiple NFT-related rug pulls, including those of the ill-fated Balloonsville, Doodle Dragonz, and Fine Folk projects. The trail of evidence suggests that the person behind the cashio exploit is a 16-year-old male who used the pseudonym Ariusuha on Twitter and Discord before deleting his accounts.
On-chain data shows that the hacker’s address, commencing 6D7f, was initially funded from another address commencing sWZs. A member of the Solana NFT community known as suavae has previously linked the sWZs address to several wallets directly connected to the…
Read More: cryptobriefing.com