Stablecoin Cashio plummets by 100% due to infinite mint glitch
An attacker managed to mint $2 billion worth of Cashio (CASH) stablecoins without providing anything in return.
The price of Cashio (CASH), a USD-pegged stablecoin based on the Solana blockchain, dropped to nearly zero today after a newly discovered exploit allowed users to produce unlimited amounts of the token.
“Please do not mint any CASH. There is an infinite mint glitch,” Cashio’s Twitter account announced today. “We are investigating the issue and we believe we have found the root cause. Please withdraw your funds from pools. We will publish a postmortem ASAP.”
Please retweet for visibility.
— Cashio ($CASH) 💵 (@CashioApp) March 23, 2022
Under normal circumstances, users had to lock up their USDT and USDC stablecoins in a liquidity pool in order to mint Cashio. However, the exploit allowed at least one attacker to mint 2 billion CASH tokens without providing anything in return. Consequently, the hacker used his newly acquired “free” tokens to drain other stablecoins from Cashio’s pools.
As a result, the price of CASH crashed from $1 to $0.00005786, effectively losing 100% of its value, according to crypto metrics platform CoinGecko.
Prior to the crash, around $28.9 million worth of CASH tokens were locked in the ecosystem, DeFi Llama’s data shows. However, after the glitch was discovered and exploited, this figure shrunk to just about $580,000.
In its turn, Saber, a Solana-based market maker protocol on which Cashio’s liquidity pools were based, quickly stopped the corresponding operations.
“We’ve paused all $CASH pools—we are investigating the issue and will provide an update ASAP,” Saber tweeted today.
We've paused all $CASH pools — we are investigating the issue and will provide an update ASAP. https://t.co/lqqB869mYw
— Saber (@Saber_HQ) March 23, 2022
Sadly, Cashio is far from the first “stable” token that ultimately proved to be anything but. For example, the price of SafeDollar, an algorithmic DeFi stablecoin based on the Polygon blockchain, similarly dropped to near-zero due to a $248,000 exploit last summer.