Solana Exploit: $50 Million Stolen from Infinite Stablecoin Minting Glitch

About $50 million has been robbed from a Solana-native stablecoin protocol using a ‘fake account’ exploit. This apparently allowed the hacker to mint an unlimited amount of CASH, which the team behind the stablecoin has confessed to.

• As explained by samczun of Paradigm on Twitter, CashioApp requires users to deposit collateral in order to mint more CASH, its stablecoin token.
• The cross-program invocation (CPI) transfers tokens from one’s account to the account of the protocol, but only if both accounts hold the same type of token. If they do not, the token program will reject the transfer.
• “The protocol validates that the crate_collateral_tokens account holds the right type of token by comparing it with the collateral account,” he states. “It also verifies the collateral account shares the same token type as the saber_swap.arrow account.”
• However, he also identified that the mint field of the  “arrow” account is never validated. According to samczun, this rendered all of the aforementioned validation meaningless, and let the hacker make fake accounts for every step of the process.
• “Because Cashio didn’t establish a root of trust for all of the accounts it used, an attacker was able to steal approximately $50M by forging a chain of fake accounts,” he summarized.
• Cashio addressed the issue as well, urging users to not mint any CASH as there was now an “infinite mint glitch”. They said they would soon publish a post-mortem, but it’s yet to be posted.
• Last month, an Ethereum to Solana bridge was also hacked for $320 million worth of wrapped ETH.