Another day, another Solana fake account exploits. This time it’s Cashio. It lost around $50M. According to our analysis, we could find some causes for the exploit which is mentioned below.
In order to mint new CASH, you need to deposit some collateral. This cross-program invocation (CPI) will transfer tokens from your account to the protocol’s account, but only if the two accounts hold the same type of token. Otherwise, the token program will reject the transfer, it can be seen in the image below.
The protocol validates that the crate_collateral_tokens account holds the right type of token by comparing it with the collateral account. It also verifies the collateral account shares the same token type as the saber_swap.arrow account. This can be clearly seen in the image below.
We could find out that unfortunately, the mint field on the arrow account is never validated, as it can be seen in the image below.
This means that ultimately, all of this validation is meaningless because there’s no trusted root. The attacker just created fake accounts all the way down and then chained them all the way back up until they finally made a fake crate_collateral_tokens account.
We could come to a conclusion that because Cashio didn’t establish a root of trust for all of the accounts it used, an attacker was able to steal approximately $50M by forging a chain of fake accounts.
At the time of writing, there was no official announcement by Cashio. There is only a Tweet by Cashio that said “Please do not mint any CASH. There is an infinite mint glitch. We are investigating the issue and we believe we have found the root cause. Please withdraw your funds from pools. We will publish a postmortem ASAP.”
According to data from the tracking tool DeFi Llama, the total value locked on Cashio dropped by $28 million following the attack. According to blockchain data, over 2 billion CASH were minted with no USDC or USDT backing.