- Assurance
  Smart Contract Assessment
  Securing code integrity, protecting digital assets
  Smart Contract Assessment
  Securing code integrity, protecting digital assets
  Blockchain Layer 1 Assessment
  Assessing protocols, securing blockchain foundations
  Blockchain Layer 1 Assessment
  Assessing protocols, securing blockchain foundations
  Code Security Audit
  Uncovering flaws, strengthening software integrity
  Code Security Audit
  Uncovering flaws, strengthening software integrity
  Web Application Penetration Testing
  Exposing weaknesses, fortifying digital defenses
  Web Application Penetration Testing
  Exposing weaknesses, fortifying digital defenses
  Cloud Infrastructure Penetration Testing
  Securing configurations, protecting critical environments
  Cloud Infrastructure Penetration Testing
  Securing configurations, protecting critical environments
  Red Team Exercise
  Simulating real-world attacks, strengthening defenses
  Red Team Exercise
  Simulating real-world attacks, strengthening defenses
  AI Red Teaming
  Testing AI systems against real threats
  AI Red Teaming
  Testing AI systems against real threats
  AI Security Assessment
  Securing AI models, data, and pipelines
  AI Security Assessment
  Securing AI models, data, and pipelines
- Advisory
  AI Advisory
  Guiding secure, strategic AI adoption forward
  AI Advisory
  Guiding secure, strategic AI adoption forward
  Risk Assessment
  From unknown threats to actionable insights
  Risk Assessment
  From unknown threats to actionable insights
  Blockchain Architecture Assessment
  Optimizing architecture for tomorrow’s networks
  Blockchain Architecture Assessment
  Optimizing architecture for tomorrow’s networks
  Compliance Readiness
  Stay ready as regulations evolve
  Compliance Readiness
  Stay ready as regulations evolve
  Custody and Key Management Assessment
  Securing the heart of digital custody
  Custody and Key Management Assessment
  Securing the heart of digital custody
  Technical Due Diligence
  See the risks before you invest
  Technical Due Diligence
  See the risks before you invest
  Technical Training
  Empower your teams to secure what matters
  Technical Training
  Empower your teams to secure what matters

In March 2022, the Solana-based Cashio stable coin CASH was the victim of a hack exploiting an “infinite mint” vulnerability. The value of the CASH token plunged to $0.00005 after the attacker stole over $52 million in tokens from the protocol.

Inside the Attack

To mint new CASH tokens, a user needs to deposit collateral. This collateral can be deposited into a collateral account owned by the protocol if the deposit passes a series of checks designed to validate that the deposited tokens match the type held within the protocol’s accounts.

As part of the validation process for crate_collateral_tokens, the contract checked that the token type matched that of the saber_swap.arrow account. However, there was no validation of the mint field within the saber_swap.arrow account. The attacker could make a fake saber_swap.arrow account that would allow it to create a fake crate_collateral_tokens account that would allow the deposit of worthless collateral.

The other piece of the attack was a missing check for depositor_source, which has the same requirement that the token type should match that of the collateral. It is possible to set the collateral token type if a user owns a bank, which can be created with a call to crate_mint.

With a fake bank, the attacker could deposit fake collateral that would pass all of the checks due to the issues in crate_collateral_tokens. However, the code failed to verify that the token associated with the bank and the one being minted are the same.

As a result, a bank with a worthless token could be used to mint real CASH tokens. This allowed the attacker to drain value from the protocol by depositing worthless collateral and minting real CASH tokens.

Lessons Learned From the Attack

The Cashio hack was made possible by missing validation code. While the smart contract included numerous checks designed to validate collateral deposits, two essential ones were missing, enabling a $52 million hack and the destruction of the stablecoin’s peg to the USD.

These vulnerabilities may have been detected by a smart contract audit. However, Cashio was an unaudited project, resulting in the vulnerability being discovered – and exploited – by an attacker.

Explained: The Cashio Hack (March 2022)

Inside the Attack

Lessons Learned From the Attack

Related Blog Posts

blog

blog

Disclaimer

blog

blog