Stablecoin Cashio on Solana exploited for $52.8 million in 'infinite mint glitch'

Quick Take

  • Cashio Dollar is an algorithmic stablecoin backed by USDT-USDC LP tokens.
  • It fell foul to an “infinite mint glitch,” according to its team.

A stablecoin on the Solana blockchain has been exploited for around $52.8 million and lost practically all of its value.

Cashio Dollar (CASH) is an algorithmic stablecoin that was launched by a developer called 0xGhostChain in November 2021. Anyone can mint tokens by depositing liquidity tokens for the two stablecoins UDST and USDC from the Saber platform. They can redeem the stablecoin for the underlying liquidity tokens.

The exploit happened shortly after 9:00 AM UTC. According to data tracking site DeFi Llama, the total value locked within the protocol fell from $28.87 million to $569,000. At the same time, the price of the stablecoin dropped from $1 to practically zero, per data tracking site CoinGecko.

Cashio's total value locked fell by $28 million today. Image: DeFi Llama.

"Please do not mint any CASH. There is an infinite mint glitch. We are investigating the issue and we believe we have found the root cause. Please withdraw your funds from pools. We will publish a postmortem ASAP," tweeted 0xGhostChain today.

An infinite mint glitch is where a protocol is mistakenly designed in such a way that allows a user to mint as many tokens as they would like, typically without providing any collateral that might otherwise be needed. Once someone can mint infinite tokens, they can sell them on the market, crushing a token's price.

According to a report by crypto exchange Bybit, the hacker made off with $52.8 million in two ways. After minting 2 billion CASH tokens through the "infinite mint glitch," they redeemed some of these CASH tokens for the underlying collateral, which was sold for $27.2 million. They then sold a large amount of the remaining tokens on a decentralized exchange for $25.6 million.

On the flip side, they appear to be returning a sizeable amount of the funds. As crypto trader Ceteris noted on Twitter, they have been returning some of the funds to liquidity providers. A message on the blockchain sent from the hacker's address said, "Account with less than 100k have been returned. all other money will be donated to charity." But this may only be for some of the pools.

This story has been updated with further details, including a report from Bybit, which provides more clarity on the amounts stolen.


© 2024 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Tim is the Editor-In-Chief of The Block. He writes about the evolution of crypto technology and the people who are at the forefront of it. He provided exclusive, source-based insights into the launches of the Bitcoin and Ethereum ETFs, crypto sales by the FTX Estate and the Trump-linked World Liberty Financial project. Prior to joining The Block, Tim was a news editor at Decrypt. He earned a bachelor's degree in philosophy from the University of York and studied news journalism at Press Association Training. Follow him on X @Timccopeland.