TL;DR

On March 23, 2022, at 8:23:26 AM UTC, an unknown actor exploited Cashio App leading to approximately $52 million worth of lost assets. The root cause of the attack stems from missing code in the collateral verification design. The verification design lacked necessary validation for the input “collateral”, enabling the attacker to use fake accounts to bypass the verifications and mint Cash tokens.

Summary

On March 23, 2022 at 8:23 AM UTC, an unknown actor exploited Cashio App (Cash) via infinite mint vulnerability. Cashio is a decentralized stablecoin backed by interest-bearing Saber USD liquidity provider tokens. The attacker took advantage of a vulnerability in the collateral verification design. A user deposits collateral in order to mint CASH tokens. If the user’s collateral deposit passed a sequence of validating token checks it would be deposited into an account owned by the protocol. Cashio used Saber LP and Arrow Protocol as collateral. The mint field was not validated on the Arrow account. The error in the code was unable to verify that the banking token and the minted token were matching. The attacker was able to use valueless tokens to mint real CASH tokens. By depositing valueless collateral, the attacker was able to drain value from the protocol and mint CASH tokens. The missing validation code resulted in an attack worth $52.8 million in lost assets. The funds were transferred to Ethereum via Wormhole and Paraswap.

On March 28th, 2022, a few days after the attack, the hacker made an announcement stating that affected Cashio users were able to restore their funds if they were able to explain the source of the assets and why it should be returned. The hacker stated that no money would be returned to wealthy users who did not explicitly need the money. The affected users were able to state their case on a website set up by a community member following the format requested by the hacker. As of June 2022, Cashio stated that there were still approximately $25 million in stolen funds that had yet to be returned to victims of the attack.

The Cashio App project had a strong social media presence in early 2022 and were active on Twitter, Discord, Medium, and their project website. Most of these channels have slowed down, with most of the activity referencing the attack and returning users funds. In June 2022, Cashio App announced plans on Medium for a new protocol to help raise funds for victims and expand the Saber ecosystem. Cashio App team has not been active on social media platforms since this announcement. It is currently unclear if the team is following through with their plans to build a new protocol.

Exploit Transactions

Create fake pool: https://solscan.io/tx/2X1TKidhbocN5HRLVWRUk8W1YSQH9b6VH7biAm1ad5jwTZNrPSxajz2cyorrvqtUbWUAmCb52Yqk8VxYF2P6H5tP

Initialize an arrow account: https://solscan.io/tx/9Qw5uU4dq5Gn9RnnjbFtyeK4EZ5DAQsKNxq88sSRhTN96YmVrARuNTV7gAG2FWxqyY5AWY7yzNTmk2viJG6AAkq

Mint fake “collateral”: https://solscan.io/tx/fad83BqAwEXGGyqY6FEGdgptUXt6YVowa6vmaCbfP9NEY7dRoBUAJ6TDsj1L5mK8rXKJ3LPZPPnQqGMuPVYxDNN

Mint Cash via the fake collateral: https://solscan.io/tx/4fgL8D6QXKH1q3Gt9GPzeRDpTgq4cE5hxf1hNDUWrJVUe4qDJ1xmUZE7KJWDANT99jD8UvwNeBb1imvujz3Pz2K5

Swap Cash to USDC/UST: https://solscan.io/tx/3qeUYN3sjxxhZFTEGoDYEe4YNwqqQH8tpaa4UGdAqfVNWautK9fQ5JRoo4W1YKZ6ouVkk3sC51WQiwmxbpuinXm3

Related Addresses

Attacker address: https://solscan.io/account/6D7fgzpPZXtDB6Zqg3xRwfbohzerbytB2U5pFchnVuzw#splTransfers

Attacker address on Ethereum: https://etherscan.io/address/0x86766247ba3405c5f15f06b895294200809e9cfb

Attacker Addresses

Fake token account: https://solscan.io/token/GoSK6XvdKquQwVYokYz8sKhFgkJAYwjq4i8ttjeukBmp

UST token account: https://solscan.io/account/7ZuSEKMoo65ueVLCEYBa6KYcVitJ66iJWLWAWMSKYC1e

USDC token account: https://solscan.io/account/8H4vUyYxpyqfszfVffECiXCdLBd2xRFY51Rp4AGGfDzS

Attack Flow

Preparation Stage:

1. The attacker created two fake tokens (6fm1zUNEUdrFJ3hxE3iPDHxmyNHLj1VAZB56qknG36DP and 55q4h7RnRxi7FMKeUWjhoSegqP2JrQt3hb5p9kXtBiAP) and created a fake pool with the fake tokens. By doing so, the attacker gained fake LP tokens GoSK6XvdKquQwVYokYz8sKhFgkJAYwjq4i8ttjeukBmp.

2. The attacker interacted with the Arrow program with the functioninit_arrow_vendor_miner() to initialize a malicious arrow account.

3. The attacker interacted with Arrow program via deposit_vendor() to deposit 2,000,000,000 fake LP token (GoSK6XvdKquQwVYokYz8sKhFgkJAYwjq4i8ttjeukBmp) and minted 2,000,000,000 GCnK63zpqfGwpmikGBWRSMJLGLW8dsW97N4VAXKaUSSC with arrow account.

Attack Stage:

1. The attacker invoked (print_cash instruction()) with previous token as collateral (GCnK63zpqfGwpmikGBWRSMJLGLW8dsW97N4VAXKaUSSC) and gain same amount CASH CASHVDm2wsJXfhj6VWxb7GiMdoLc17Du7paH4bNr5woT

2. The attacker interacted with Saber to swap the CASH to UST and USDC

Conclusion

In total, the Cashio App exploit resulted in roughly $52 million in stolen funds due to a vulnerability in the collateral verification design. The Cashio App hacker took advantage of the missing validation code, using valueless tokens to mint real CASH tokens. The attacker was able to drain value from the protocol and mint CASH tokens by depositing worthless collateral. The CASH stablecoin dropped from $1 to $0. Although the hacker pledged to refund selected user accounts, there were still roughly $25 million in lost funds as of June 2022. The deadline to submit a reimbursement form was April 1st, 2022. In June 2022, the team announced a potential plan to create a two token protocol and DAO to help pay back Cashio exploit victims and strengthen the Saber ecosystem. Since then, there are no new updates on the project. Since this attack was caused by a vulnerability in the code, a CertiK audit would have been able to detect that the input “collateral” account was not verified. This attack illustrates the importance of auditing token projects for code vulnerabilities to prevent exploits, ultimately causing a decline in project momentum.