A stablecoin on the Solana blockchain has been exploited for around $52.8 million and lost practically all of its value.
Cashio Dollar (CASH) is an algorithmic stablecoin that was launched by a developer called 0xGhostChain in November 2021. Anyone can mint tokens by depositing liquidity tokens for the two stablecoins UDST and USDC from the Saber platform. They can redeem the stablecoin for the underlying liquidity tokens.
The exploit happened shortly after 9:00 AM UTC. According to data tracking site DeFi Llama, the total value locked within the protocol fell from $28.87 million to $569,000. At the same time, the price of the stablecoin dropped from $1 to practically zero, per data tracking site CoinGecko.
"Please do not mint any CASH. There is an infinite mint glitch. We are investigating the issue and we believe we have found the root cause. Please withdraw your funds from pools. We will publish a postmortem ASAP,"
An infinite mint glitch is where a protocol is mistakenly designed in such a way that allows a user to mint as many tokens as they would like, typically without providing any collateral that might otherwise be needed. Once someone can mint infinite tokens, they can sell them on the market, crushing a token's price.
According to a report by crypto exchange Bybit, the hacker made off with $52.8 million in two ways. After minting 2 billion CASH tokens through the "infinite mint glitch," they redeemed some of these CASH tokens for the underlying collateral, which was sold for $27.2 million. They then sold a large amount of the remaining tokens on a decentralized exchange for $25.6 million.
On the flip side, they appear to be returning a sizeable amount of the funds. As crypto trader Ceteris noted on Twitter, they have been returning some of the funds to liquidity providers. A message on the blockchain sent from the hacker's address said, "Account with less than 100k have been returned. all other money will be donated to charity." But this may only be for some of the pools.
This story has been updated with further details, including a report from Bybit, which provides more clarity on the amounts stolen.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.