In the crypto world, where anonymity serves as a cloak for various individuals (shady or legit) to come together as a movement towards the new financial paradigm shift, anything can go wrong. For a while, people saw the Solana ecosystem as a hard one to crack because the code language (rust) wasn’t one that most people understood. But with such amount of cash just lying there, there was enough incentives for the shady guys to learn Rust and wreck havoc.
Today, was just an instance. A hacker has taken advantage of a “infinite mint flaw” on Cashio’s Liquidity pools and drained about $28m worth of assets thereby causing its main stablecoin $cash to completely collapse.
Using Defillama, we can see that secs before the hack, TVL was at $28m but has now dropped to almost zero.
So how did this happen?
To understand what happened here, we need to look at some codes. To mint new $CASH tokens, one would need to deposit some form of collateral. Now, a CPI (cross-program invocation) will transfer the tokens from ones account to the protocols account if the two accounts hold the same type of tokens. If it doesn’t hold the same type of tokens, the token program would reject the transfer.
Then, the protocol validates that the crate_collateral_tokens accounts hold the right amount of token by comparing it with the collateral account.
It also verifies that the collateral account shares the same token type as the saber_swap.arrow account. But unfortunately, the mint field on the arrow account was never validated.
With the validation failure, there was no trusted root. The attacker just had to create fake accounts all the way down, and chain it up until a fake crate_collateral_tokens account was created. That was exactly what happened.
Since the hacker now knew that there wasn’t any established account for root of trust, they just went ahead and forged a chain of accounts to steal more than $28m.
Thanks allot boss