Cashio Stablecoin: Not Stable—CASH Loses 99.99995%

A hacker drove a stablecoin into the ground yesterday. Cashio, a dollar-backed coin, is now all but worthless, thanks to a simple exploit.

Yet again, it illustrates the staggering naïvety and ineptitude of cryptocurrency fanbois. Yeah, sure, let’s sweep aside the centuries of governance, safeguards and legal practice in the banking industry. Because … uhhhh … something-something fiat?

Schadenfreude for those of us who know this tulip-like craze for imaginary money is hilariously dumb. In today’s SB Blogwatch, we point and laugh, Nelson-like.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Taking your fears to social media.

George Looks Pissed

What’s the craic? Tim Hakki reports—“Stablecoin Project Cashio Plummets to Zero”:

This isn’t the first time
The price of Cashio’s dollar-pegged stablecoin CASH has fallen from $1 to $0.00005 after an “infinite mint glitch” enabled attackers to mint tokens without providing collateral. … Cashio Dollar is a Solana-native stablecoin launched in November 2021. Typically, anyone can mint CASH by first depositing Saber USDT-USDC liquidity provider (LP) tokens.

This isn’t the first time a DeFi protocol has been looted for millions through an “infinite mint” glitch. In December 2020, a group of DeFi developers used a similar exploit on the DeFi insurance project Cover. … Last summer, attackers ran the price of SafeDollar’s eponymous dollar-pegged stablecoin to zero.

ELI5? Shaurya Malwa has a go—“Cashio’s CASH token has lost almost all its value”:

2 billion CASH were minted
CASH is a stablecoin pegged to the U.S. dollar and is backed by USDC and USDT via a liquidity pool on Saber, a Solana-based market maker. Users can mint their CASH by providing liquidity with USDT and USDC.

[It] allowed the hacker to manipulate Cashio’s smart contracts to mint an infinite supply of CASH without providing any liquidity in return. Blockchain data shows over 2 billion CASH were minted, without any USDC or USDT backing. … Data from tracking tool DeFiLlama shows the total value locked on Cashio dropped by $28 million after the attack.

$28 million? Not so fast. Sam Sun has a higher estimate. Much higher:

There’s no trusted root
Another day, another Solana fake account exploit. This time, Cashio lost around $50M. … How did this happen?

In order to mint new CASH, you need to deposit some collateral. This cross-program invocation (CPI) will transfer tokens from your account to the protocol’s account, but only if the two accounts hold the same type of token. Otherwise, the token program will reject the transfer.

Unfortunately, the mint field on the arrow account is never validated. … This means that ultimately, all of this validation is meaningless because there’s no trusted root. The attacker just created fake accounts all the way down and then chained it all the way back up.

“And nothing of value was lost.” AmiMoJo lays down the law:

The coin is worthless
The lie they tell is that code is the law, so it doesn’t matter who wrote it. You can check the code yourself and see exactly what the rules are. … In reality what happens is people check the code, notice a flaw and then exploit it mercilessly until the coin is worthless.

Is “stablecoin” an oxymoron? Here’s u/wdrosa:

Much of it was in liquidity pools with other stablecoins. So they not only lost their CASH, they lost the USDC or whatever that it was paired with. That’s how the hacker got their money, dumping into those pools.

Stick a fork in it? Gravis Zero is happy Cashio’s dead, but notes there are many others:

Good. One energy wasting cryptocurrency down, zillions to go.

Or was it a rug pull? u/wildup alleges an allegation:

Yeah right, it was a “glitch.” Sadly some morons will believe it.

Why would anyone be so daft as to “invest” in this garbage? gweihir has a clue:

Same old story: Greed, stupidity, the fear of “missing out” and a deep conviction to be a lot smarter than others. You know, all the usual ingredients of a good Ponzi-inspired scam.

Meanwhile, u/Ants_r_us shakes the imaginary money tree:

Welcome to ‘Whose coin Is It Anyway?’—the show where everything’s made up and the points don’t matter.

And Finally:

Avoiding self-hatred

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Timis Alexandra (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 595 posts and counting.See all posts by richi