CashioApp loses $50 million because of flawed contract code
Decentralized Solana-based app CashioApp lost around $50 million in cryptocurrency due to an exploit that was previously noticed by blockchain experts on other Solana-based apps, like Paradigm’s samczsun reports.
The researcher described in detail the method that allowed hackers to gain access to users.
Exploiting a fake account
To create new CASH tokens, users deposit a certain amount of collateral which falls under the cross-program invocation that transfers the tokens from the account to the protocol. The program also checks if two accounts have the same type of token on their balance; otherwise, the transfer is rejected.
Samczsun showed his followers the exact way to validate assets that remain on the sender account. The “crate_collateral_tokens” function compares two accounts that should hold the same type of token.
But unfortunately, the functions for creating new tokens have never been validated, which makes all the steps described above meaningless since the main function is not validated by the process mentioned above.
After the hacker noticed the issue in the contract code, he or she started creating a chain of fake accounts before finally making a fake account, crate_collateral_tokens. In a nutshell, because of a flaw in Cashio’s code that did not establish a root of trust for all accounts used, the attacker was able to steal at least $50 million.
DeFi projects under attack
Recently, blockchain security firm PeckShield shared a number of warnings to protect Binance Smart Chain-based owners and users. Projects like OneRing and UmbNetwork have been targeted by hackers who have stolen millions in assets from their balances. The loss is estimated at around $1.8 million.
The most common reason behind almost every exploit is a flawed code in the smart contracts of the projects, including SafeMath issues.
