Tuesday , November 5 2024
Home / Crypto news / Solana Exploit: $50 Million Stolen from Infinite Stablecoin Minting Glitch

Solana Exploit: $50 Million Stolen from Infinite Stablecoin Minting Glitch

Summary:
About million has been robbed from a Solana-native stablecoin protocol using a ‘fake account’ exploit. This apparently allowed the hacker to mint an unlimited amount of CASH, which the team behind the stablecoin has confessed to. As explained by samczun of Paradigm on Twitter, CashioApp requires users to deposit collateral in order to mint more CASH, its stablecoin token. The cross-program invocation (CPI) transfers tokens from one’s account to the account of the protocol, but only if both accounts hold the same type of token. If they do not, the token program will reject the transfer. “The protocol validates that the crate_collateral_tokens account holds the right type of token by comparing it with the collateral account,” he states. “It also verifies the collateral

Topics:
Andrew Throuvalas considers the following as important: , ,

This could be interesting, too:

Chayanika Deka writes Chinese E-commerce Giant Alibaba Downsizing Metaverse Unit to Streamline Operations: Report

Wayne Jones writes Binance Co-Founder Clarifies Asset Listing Policies, Dispels FUD

Wayne Jones writes Bitcoin Poised for 0K, Trump Win May Be Short-Term Catalyst, Says Analyst

Chayanika Deka writes Financial Nihilism Fuels Meme Coin Frenzy as Traditional Finance Loses Appeal: Binance

About $50 million has been robbed from a Solana-native stablecoin protocol using a ‘fake account’ exploit. This apparently allowed the hacker to mint an unlimited amount of CASH, which the team behind the stablecoin has confessed to.

  • As explained by samczun of Paradigm on Twitter, CashioApp requires users to deposit collateral in order to mint more CASH, its stablecoin token.
  • The cross-program invocation (CPI) transfers tokens from one’s account to the account of the protocol, but only if both accounts hold the same type of token. If they do not, the token program will reject the transfer.
  • “The protocol validates that the crate_collateral_tokens account holds the right type of token by comparing it with the collateral account,” he states. “It also verifies the collateral account shares the same token type as the saber_swap.arrow account.”
  • However, he also identified that the mint field of the  “arrow” account is never validated. According to samczun, this rendered all of the aforementioned validation meaningless, and let the hacker make fake accounts for every step of the process.
  • “Because Cashio didn’t establish a root of trust for all of the accounts it used, an attacker was able to steal approximately $50M by forging a chain of fake accounts,” he summarized.
  • Cashio addressed the issue as well, urging users to not mint any CASH as there was now an “infinite mint glitch”. They said they would soon publish a post-mortem, but it’s yet to be posted.
  • Last month, an Ethereum to Solana bridge was also hacked for $320 million worth of wrapped ETH.

You Might Also Like:

Leave a Reply

Your email address will not be published. Required fields are marked *