Cash.io App Solana Fake Account Exploit
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
The cash.io app is a blockchain stablecoin on the Solana blockchain. Due to a missing validation in the smart contract, a smart hacker was able to drain $52.8m worth of funds from the smart contract. The attacker made the decision that they would return the funds of all accounts that lost less than $100k, and sent those funds back to be distributed. It is assumed that these will be distributed as intended by the attacker, but that hasn't been finalized yet.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8]
About Cash.io App
"cashio is a Solana-native stablecoin made for the people, by the people." "all cashio dollar deposits are fully backed by interest-bearing stable pair LP tokens."
"Cashio is a decentralized stablecoin fully backed by interest-bearing Saber USD liquidity provider tokens. Cashio specifically chooses USD LPs that are backed by safer USD assets, attempting to capture the risk-free rate of the Solana stablecoin ecosystem."
"Using Arrow Protocol, Cashio stakes LP tokens into Sunny Aggregator, earning $SBR and $SUNNY tokens to the Cashio DAO. Cashio also uses Crate Protocol to build its USD-pegged stablecoin, which can be thought of as a basket of stablecoin LPs."
"Currently, protocol profits accrue to a program-owned account known as the Bank. We intend to create a mechanism to have these cash flows accrue value to users of the Cashio Protocol. More information on this will be available soon."
"In March 2022, the Solana-based Cashio stable coin CASH was the victim of a hack exploiting an “infinite mint” vulnerability. The value of the CASH token plunged to $0.00005 after the attacker stole over $52 million in tokens from the protocol."
"Another day, another Solana fake account exploit. This time, @CashioApp lost around $50M (based on a quick skim). How did this happen?"
"[B]ecause Cashio didn't establish a root of trust for all of the accounts it used, an attacker was able to steal approximately $50M by forging a chain of fake accounts."
"In order to mint new CASH, you need to deposit some collateral. This cross-program invocation (CPI) will transfer tokens from your account to the protocol's account, but only if the two accounts hold the same type of token. Otherwise, the token program will reject the transfer."
"Here, the protocol validates that the crate_collateral_tokens account hold the right type of token by comparing it with the collateral account. It also verifies the collateral account shares the same token type as the saber_swap.arrow account."
"Unfortunately, the mint field on the arrow account is never validated." "This means that ultimately, all of this validation is meaningless because there's no trusted root. The attacker just created fake accounts all the way down and then chained it all the way back up until they finally made a fake crate_collateral_tokens account."
"The attacker forged accounts to bypass the validation on common.crate_collateral_tokens, but what about depositor_source?" "Well, the depositor_source has to use the same token as common.collateral." "But common.collateral contains two fields: collateral and bank, and the attacker can't set the collateral unless they're the owner of the bank." "Fortunately, the attacker can just create a new bank, one in which they're the curator. They'll need to use a new crate_mint since the total supply of the token must be zero."
"Now that the attacker has essentially created a parallel universe, they can go back and deposit their worthless collateral. Critically, they can instruct the program to mint the original CASH token because there was no check that the bank's token matched the one being minted."
"While anchoring to a root of trust is important, the real lesson learned here is how all the authentication in the world is meaningless if you miss a single load-bearing check."
"Please do not mint any CASH. There is an infinite mint glitch. We are investigating the issue and we believe we have found the root cause. Please withdraw your funds from pools. We will publish a postmortem ASAP."
"Interestingly, the anonymous hacker stated that the purpose of the attack was to take funds from big wallet holders who did not need the money and not customers with smaller accounts."
"The Cashio hacker has set forth conditions for returning funds stolen from the decentralized platform. Data from Etherscan shows someone in control of the wallet linked to the exploit detailing how restitution could happen for people affected by the attack."
"The hacker gave six conditions, part of which asked affected users to state the amount to be refunded, provide their ETH address as refunds will be done in Ether. They also required users to give details about the source of their money and why they needed a refund."
"Furthermore, the perpetrator promised to refund affected liquidity providers if they can show proof of the initial amount they had. Meanwhile, the Cashio attacker said they had already refunded accounts with less than $100,000 in their wallets."
"[H]ave already refunded accounts under 100k which held CASH direrctly and saber cash/usdc LP and saber cash/ust LP."
"[T]he inntention was only to take money from those who do not need it, not from those who do. [W]ill be using the eth gains to return more funds to those affected, even some accounts more than 100k. will not return funds to accounts that already receive refund."
"[I]nstructions: we want jimthereaper#6550 and The Saint Eclectic#1238 to leads the organization. they have shown to be leaders. [F]or each person affected the following exact information is required for us to consider return of funds."
"1. eth address to send the returned funds to. all returns will be done in eth. 2. the original solana wallet that held the cash or cash lp pair. even cash lp pairs that we did not take (like PAI/CASH or aeMIM/CASH) will be return since it is our fault they lost money to arbitage bots. 3. if the lp is held by other owner (like sunny or quarry) then a transaction proving that you own the lp and the account that you own is needed. this message will have to be signed by the account that you own instead of account that directly owns the lp (since that will be sunny or quarry). 4. if already sell or buy lp or cash, show transaction from before the hack to prove how much you had. 5. the amount of money to be return. 6. an explanation of the source of this money and why you need it back. more detail is better. money will not be refund to rich american and european that don't need it."
"[A]ll this information MUST be signed by either the original account owner of cash or lp or the account that staked the money into sunny or quarry. [B]ad sign or incomplete information will result in no return. [W]e will choose who gets a return. [M]ight get all back or some back or none back. [P]ut all the request together in one file, returns will start next week manually. [W]ill take some time."
"[A]lso godoflight and all other are scammer. [O]nly trust message signed by account."
"We are working nonstop to make sure every refund submission gets verified in a transparent, efficient manner. Developing this takes some time. Regardless, we want to urge everyone impacted to head over to our discord and get help filling out a refund form. There is help."
"[Y]ou can now go [and] search your wallet address." "For all CASH related token accounts it will show you [p]re hack token balance [and] [l]ast transaction to account. We will use this tool to verify submissions."
"Again- we know it might be a pain to have to go through and find the old LP transactions to prove your ownership- create the signature- then submit the form- but we are trying to make it as simple to get your money back while ensuring that you truly did lose the funds."
"[A]n argument is breaking out on social media about whether the returned funds, which is a comparatively small amount of the total amount stolen, should be split among all the victims or given to the individuals with less than $100,000 at stake, as the scammer intended."
"What was more interesting in Bybit’s findings was a hidden message embedded by the hacker in a particular transaction that has made the DeFi community rename the hacker as modern-day “Robin Hood.” The hacker wrote in a transaction[.]"
“Account with less than 100K have been returned. All other money will be donated to charity.”
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| March 23rd, 2022 3:59:00 AM MDT | Cash.io Posts Announcement To Twitter | Cash.io announces the exploit on Twitter. They ask users to withdraw funds. They are investigating and believe they've found the root cause, and will publish a postmortem ASAP[11]. TBD community reaction. |
| March 23rd, 2022 4:29:00 AM MDT | Samczsun Reports On Exploit | Blockchain researched Samczsun reports on the exploit on Twitter[12]. |
| March 24th, 2022 12:05:00 PM MDT | Samczsun Issues Expanded Explanation | Samczsun expands his initial description of the exploit to also include details about the fake bank which had to be created[13]. |
| March 28th, 2022 11:48:00 AM MDT | Cash.io Refund Tool Online | The refund tool is brought online on the Cash.io website[14]. TBD referenced tweet. |
| March 31st, 2022 3:57:00 AM MDT | Cash.io Working Non-Stop To Issue Refunds | Cash.io explains the refund process in a Twitter thread[15]. |
| April 1st, 2022 8:26:15 PM MDT | Token Balance Lookup Tool | Twitter user simplyianm announces his tool which can be used to look up a balance in the exploit[16][17][18]. |
| April 2nd, 2022 2:19:00 AM MDT | Cash.io Announces Lookup Tool | Cash.io announces ianm's tool which can be used to look up pre-hack token balance and the last transaction posted to an account[19]. |
Total Amount Lost
The total amount lost has been estimated at $52,800,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
CashIo Twitter Announcement
Cash.io posted an announcement to Twitter about the exploit[11].
Please do not mint any CASH. There is an infinite mint glitch. We are investigating the issue and we believe we have found the root cause. Please withdraw your funds from pools. We will publish a postmortem ASAP.
Samczsun Twitter Analysis
Samczsun posted an initial analysis of the exploit to Twitter[12].
Another day, another Solana fake account exploit. This time, @CashioApp lost around $50M (based on a quick skim). How did this happen?
In order to mint new CASH, you need to deposit some collateral. This cross-program invocation (CPI) will transfer tokens from your account to the protocol's account, but only if the two accounts hold the same type of token. Otherwise, the token program will reject the transfer.
Here, the protocol validates that the crate_collateral_tokens account hold the right type of token by comparing it with the collateral account. It also verifies the collateral account shares the same token type as the saber_swap.arrow account.
Unfortunately, the mint field on the arrow account is never validated.
This means that ultimately, all of this validation is meaningless because there's no trusted root. The attacker just created fake accounts all the way down and then chained it all the way back up until they finally made a fake crate_collateral_tokens account.
tl;dr because Cashio didn't establish a root of trust for all of the accounts it used, an attacker was able to steal approximately $50M by forging a chain of fake accounts
After a correction by other members of the community, this description was augmented[13].
I need to make a correction! Thanks to @madergaser and @siintemal for pointing out that I completely missed the other half of the exploit.
So as I mentioned earlier, the two token accounts must hold the same token. The attacker forged accounts to bypass the validation on common.crate_collateral_tokens, but what about depositor_source?
In order to mint new CASH, you need to deposit some collateral. This cross-program invocation (CPI) will transfer tokens from your account to the protocol's account, but only if the two accounts hold the same type of token. Otherwise, the token program will reject the transfer.
Well, the depositor_source has to use the same token as common.collateral.
But common.collateral contains two fields: collateral and bank, and the attacker can't set the collateral unless they're the owner of the bank.
Fortunately, the attacker can just create a new bank, one in which they're the curator. They'll need to use a new crate_mint since the total supply of the token must be zero.
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Cashio.app attempted to assist members in filing claims[15].
We are working nonstop to make sure every refund submission gets verified in a transparent, efficient manner.
Developing this takes some time..
Regardless, we want to urge everyone impacted to head over to our discord and get help filling out a refund form.
We want to clarify that the team has been making sure that the thousands of entries are processed in a swift, publicly verifiable manner.
There are real money laundering concerns that must be addressed,
We will ensure that the file we send to the hacker contains only:
1) messages encrypted (signed) by private keys only allow decryption using a public key associated with the private key. Otherwise the message will return gibberish.
2) message memos contain valid proof that the public key used to decrypt message had ownership of lost funds.
We are working with @Saber_HQ @QuarryProtocol and more to get these tools out as fast as possible.
It is imperative that the ETH wallet addresses we make public are all in fact tied to stolen funds. Other ETH wallets are therefore considered laundered funds.
One of these tools will be for users to see themselves that their message can only be derived by their public key (since they signed using private key)
The other tool will be used internally to filter from thousands of memos to the find only ones associated with lost funds.
We will make the user signature verification tool public as soon as testing is completed- which should be within the next day or so (in order to give users the chance to use before we send files to the exploiter).
Please be aware that our team is focused on getting this out ASAP
The other tool will be a mix of a snapshot and verification of LP/CASH ownership before the time of the hack.
Once we get to that point, we will make sure the mechanism is as transparent as possible as well.
Additionally if you lost >$100 and < $100k in Quarry pools but can’t see your eligibility on their tool - please DM our team on Discord with your PUBLIC key and which quarry pools.
Please note that Quarry only had an eligibility tool out- claim function is not implemented yet.
Again- we know it might be a pain to have to go through and find the old LP transactions to prove your ownership- create the signature- then submit the form- but we are trying to make it as simple to get your money back while ensuring that you truly did lose the funds.
Total Amount Recovered
The total amount recovered is unknown.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
Smart contracts function as effective hot wallets, and while audits can greatly reduce the risks, even smart contracts with multiple audits can still be vulnerable. By limiting the funds in the hot portion of a smart contract to what is necessary for expected liquidity, and holding the rest in a simple multi-signature structure by known trained participants storing keys offline, smart contracts can be developed which have significantly less funds at risk of theft. The hot balance can be further protected through a simple insurance fund which can be set up by the project, a third party smart contract, or a collective industry fund.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ GitHub - cashioapp/cashio: $CASH Rules Everything Around Me (May 5, 2022)
- ↑ Cashio Hacker Sets Conditions to Return Stolen $50 Million (May 5, 2022)
- ↑ https://etherscan.io/tx/0xb34bbfe78d56eac5576157671f9735d6888f89e8e4af2b1b7d6a2ffdecd90451 (May 5, 2022)
- ↑ https://web.archive.org/web/20220327045806/https://medium.com/@saberlabs/postmortem-cashio-hack-ecaf45301f48 (May 5, 2022)
- ↑ https://ca.finance.yahoo.com/news/solana-cashio-hack-loots-52-165359406.html (May 5, 2022)
- ↑ https://fortune.com/2022/03/25/crypto-robin-hood-stole-50-million-hacker-heist-cashio/ (May 5, 2022)
- ↑ Explained: The Cashio Hack (March 2022) (May 5, 2022)
- ↑ https://www.fxempire.com/news/article/solana-cashio-hack-loots-52-8m-investigations-reveal-surprising-facts-948075 (May 5, 2022)
- ↑ Cashio (May 5, 2022)
- ↑ Cashio (May 5, 2022)
- ↑ 11.0 11.1 CashioApp - "There is an infinite mint glitch. ... Please withdraw your funds from pools." - Twitter (May 5, 2022)
- ↑ 12.0 12.1 samczsun - "@CashioApp lost around $50M" - Twitter (Mar 24, 2022)
- ↑ 13.0 13.1 samczsun - "I need to make a correction! ... I completely missed the other half of the exploit." - Twitter (May 5, 2022)
- ↑ CashioApp - "Thanks @wireless_anon for setting this up. We have deployed the same code [on our website]" - Twitter (May 5, 2022)
- ↑ 15.0 15.1 CashioApp - "We are working nonstop to make sure every refund submission gets verified in a transparent, efficient manner." - Twitter (May 5, 2022)
- ↑ simplyianm - "I just launched a portal for figuring out if you were affected by the @CashioApp hack." - Twitter (May 5, 2022)
- ↑ simplyianm - "I just launched a portal for figuring out if you were affected by the @CashioApp hack." - Twitter Archive August 2nd, 2022 12:54:28 AM MDT (Apr 24, 2023)
- ↑ simplyianm - "Some things I'm getting to: - automatically checking if you got refunded by the hacker" - Twitter Archive April 1st, 2022 8:29:07 PM MDT (Apr 24, 2023)
- ↑ CashioApp - "Thanks to help from @simplyianm at @Saber_HQ you can now go to http://anchor.so/Cashio & search your wallet address." - Twitter (May 5, 2022)