Solana Cashio Hack Loots $52.8M: Investigations Reveal Surprising Facts

Key Insights:

Solanas Cashio hack drained $52.8 million from the protocol.

To prevent, protocols should be properly and thoroughly audited.

Hacker left a message to return funds for accounts below 100K and donate the rest to charity.

Cashio (CASH), a native stablecoin of Solana, recently lost millions after hackers exploited an “infinite mint glitch.” The attackers drained a staggering $52.8 million from the protocol, following which the CASH stablecoin collapsed from $1 to $0.00005, which left the entire decentralized finance (DeFi) ecosystem appalled.

Initially, it was reported that Cashios protocol exploited cryptos equaling about $28 million. According to a security researcher Samczsun, the project lost around $50 million (based on quick skimming).

With these estimates aside, crypto trading platform Bybit came up with a fresh investigation on the hack, discovering precisely $52.8 million of stolen funds.

“The exploited amount also far exceeded what most other publications reported. To elucidate, most publications who reported on this exploit seem to think that $28 million was drained from this hack,” the Bybit readings noted.

As a quick recap, CASH, the dollar-pegged stablecoin, is minted by depositing stable pair liquidity provider tokens (LP tokens), in this case, USDT and USDC pair in a 50:50 ratio on Solanas decentralized exchange – Saber.

What Actually Happened？ A to Z of the Hack

FXEmpire spoke to a team from Bybit comprising Derek Lim, head of crypto insights, Gabriel Foo, senior research analyst and Fathur Rahman, COO of SolanaFM, on the alarming exploit. Per their findings, the hacker first managed to mint “two billion CASH tokens” by using the perpetrators unknown tokens. But, how is this possible？

Furthermore, the hacker burnt part of the newly minted CASH tokens (2 billion) for the Saber USDT-USDC LP tokens. The hacker then swapped the LP pair tokens for $16.4 million USDC and $10.8 million USDT.

The Bybit investigations further found that the remaining CASH tokens were swapped out for $8.6 million UST and $17 million USDC through Saber. Finally, the hacker swapped $15.3 million in USDC and USDT after draining $52.8 million.

The hacker used the Jupiter liquidity aggregator on Solana to transfer the funds in 3 transactions to an Ethereum address through the Wormhole Bridge.

How To Prevent such Hacks？ Possible Solutions

This isnt the first time a DeFi protocol has been looted for millions; however, this is the first of its kind “infinite mint” glitch. Every time after an attack, HODLers are warned to keep their tokens safe.

To prevent such acts, the team suggested the protocols to ensure that they have been properly and thoroughly audited. He said that DApps should adopt certain Tradfi structures and those of the big tech companies. Talking to FXEmpire,

“In other words, a more stringent auditing process should be initiated.”

This can be achieved by mandatory tests on the devnet for internal checks, during the development phase of any DApps. Furthermore, once the team is ready to stage the product after all internal checks, audit companies and tech alfa groups must step in to clear any bugs, edge cases, etc.

When the beta version is ready, more experts should be brought in to do a final check before the apps roll-out. Team consisting Foo and Rahman added,