27.8 C
New York

Stablecoin Cashio on Solana exploited for $28 million in ‘infinite mint glitch’


A stablecoin on the Solana blockchain has been exploited for around $28 million and lost practically all of its value.

Cashio Dollar (CASH) is an algorithmic stablecoin that was launched by a developer called 0xGhostChain in November 2021. Anyone can mint tokens by depositing liquidity tokens for the two stablecoins UDST and USDC from the Saber platform. They can redeem the stablecoin for the underlying liquidity tokens.

The exploit happened shortly after 9:00 AM UTC. According to data tracking site DeFi Llama, the total value locked within the protocol fell from $28.87 million to $569,000. At the same time, the price of the stablecoin dropped from $1 to practically zero, per data tracking site CoinGecko.

Stablecoin Cashio on Solana exploited for $28 million in ‘infinite mint glitch’ Blockchain PlatoBlockchain Data Intelligence | Vertical Search AI
Cashio’s total value locked fell by $28 million today. Image: DeFi Llama.

“Please do not mint any CASH. There is an infinite mint glitch. We are investigating the issue and we believe we have found the root cause. Please withdraw your funds from pools. We will publish a postmortem ASAP,” tweeted 0xGhostChain today.

An infinite mint glitch is where a protocol is mistakenly designed in such a way that allows a user to mint as many tokens as they would like, typically without providing any collateral that might otherwise be needed. Once someone can mint infinite tokens, they can sell them on the market, crushing a token’s price.

Paradigm researcher Samczsun tweeted that the hacker may have gleaned as much as $50 million from the exploit. Since they were able to mint tokens, they were able to sell them on decentralized exchanges and take all the liquidity there — as well as redeem the tokens for the underlying collateral (represented by the total value locked).

On the flip side, they appear to be returning a sizeable amount of the funds. As crypto trader Ceteris noted on Twitter, they have been returning some of the funds to liquidity providers. A message on the blockchain sent from the hacker’s address said, “Account with less than 100k have been returned. all other money will be donated to charity.” But this may only be for some of the pools.

This story has been updated with further details.

© 2022 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

Related articles


Recent articles