KEY POINTS

  • CASH is the native token of the Solana-based money project Cashio App
  • CASH was trading $0.00025142C
  • Cashio App is the latest victim of the Infinite Mint Glitch exploit

Cashio App, the Solana-based decentralized money project, was hit by an exploit called Infinite Mint Glitch on Wednesday, with CASH price nosediving from $1 to $0.00005 following the development team's announcement.

The incident was shared on Twitter by a Cashio App developer who goes by the name 0xGhostChain. The announcement also warned users to stop minting any CASH at the time.

"Please do not mint any CASH. There is an infinite mint glitch. We are investigating the issue and we believe we have found the root cause. Please withdraw your funds from pools. We will publish a postmortem ASAP," the tweet reads.

Cyber Attack Crime, Hacker
Representation of a cyber attack crime. Getty Images/Bill Hinton/Contributor

An Infinite Mint Glitch happens when a crypto project can mint new tokens continuously without the need to post the required collateral. On Cashio App, users are required to place the necessary collateral in Liquidity Pool (LP) tokens issued by a decentralized exchange built on Solana called Saber.

The Cashio App team has not yet disclosed the extent of the exploit as well as how it happened. Interestingly, data from DefiLlama revealed that the exploit cost Cashio App approximately $28 million in value.

But it appears that a research partner at Web3 investment firm Paradigm who goes by the name samczsum has a dire picture of what happened to the project and revealed that the project had lost around $50M.

"Another day, another Solana fake account exploit. This time, @CashioApp lost around $50M (based on a quick skim). How did this happen," the tweet read.

According to the researcher, the malicious actor forged a chain of fake accounts through a vulnerability in Cashio App's smart contracts. The attacker was able to mint an infinite supply of CASH without placing any LP in exchange.

"This means that ultimately, all of this validation is meaningless because there's no trusted root. The attacker just created fake accounts all the way down and then chained it all the way back up until they finally made a fake crate_collateral_tokens account," samczsum explains.

The malicious actor has minted 2 billion CASH stablecoins as per data from Solscan. These CASH stablecoins were then swapped for other paired assets through Saber. On Twitter, Saber said it had paused its CASH liquidity pools following the Cashio App incident.

The price of the native CASH stablecoin token nosedived following the attack. CASH was trading down 100% at $0.00025142 with a 24-hour trading volume of $23,281 as of 2:09 a.m. ET on March 24, according to CoinGecko.