$CASH Grab

Market Meditations | March 24, 2022

CashioApp is a DeFi project built on Solana that aims to create a USD pegged stablecoin called CASH that is backed by interest-bearing tokens. It manipulates the supply of the tokens using mint and burns mechanics in an attempt to maintain its peg.

  • On March 23rd 2022 the CashioApp protocol was exploited. The hacker managed to mint 2 billion CASH tokens using 2 billion of his own unknown tokens.
  • How the hacker was able to exploit the code has been broken down in a thread by @samczsun here.
  • Using the 2 billion CASH tokens that were minted, the hacker used Cashio’s platform to burn CASH tokens for all the underlying Saber USDT-USDC LP tokens in Cashio’s deposits.
  • The hacker was able to drain $52.8 million worth of USDC, USDT and UST from Cashio and Saber.
  • The hacker embedded a hidden message within a transaction which can be viewed via their Etherscan which suggests this was a Robinhood attack.
  • The message reads “accounts with less than 100k will be returned, all other money will be donated to charity”.

According to SolanaFM, it would seem that the hacker has at least begun returning the stolen USDC to wallets with less than $100k worth of value but the charity donation is yet to be seen.