Cashio (CASH) price plummets as hacker reveals he will not refund “wealthy Americans and Europeans.” The developers at Cashio and Saber released more details about the recent $52 million+ exploit.
Cashio (CASH), a stablecoin decentralized developed on the network Solana, is the latest major hacking victim in the blockchain industry. An infinite minting vulnerability in its code allowed a hacker to mint 2.000 billion CASH without any guarantee. The hacker exchanged the minted CASH for other stablecoins in the DEX Sabre, stealing about $52,8 million. The funds were exchanged back to ETH using the ParaSwap and Curve Finance protocols, reports indicate.
The million-dollar exploit has dropped the value of Cashio (CASH) to practically $0, as shown by the cryptocurrency price monitoring platform CoinGecko.
Source: CoinGecko.
The CASH stablecoin has gone from a value of $1 to $0,00008 at the time of writing.
The hacker has posted a message about next actions while Saber developers revealed more details about what happened. In your post mortem report, offered a reward of 1 million dollars for finding the whereabouts of the hacker or the stolen funds.
It may interest you: Liquidity deposited in Deus Finance falls 9% after suffering a $3 million exploit
How did the Cashio (CASH) exploit happen?
The Saber Labs report indicates that the hacker exploited an account validation vulnerability in Cashio.app to create fake accounts and attack the contract that controlled the minting of CASH. In this way, the attacker was able to mint an immense amount of CASH without the required collateral deposits in USDT and USDC.
Upon noticing the attack, the developers stopped the protocol's smart contracts while freezing trades and withdrawals on Sabre. Other cryptocurrency exchange platforms were also alerted about the Cashio exploit, in an attempt to stop the theft of the funds. However, as they point out in the report, “the team began to investigate and realized that the damage had already been done.”
On Twitter, the protocol warned users about the exploit, stating that they should withdraw their funds from the protocol and liquidity pools.
The hacker's message to the crypto community
Now, the hacker has sent a message to the crypto community about the refund of the stolen funds. This message indicates that those users with funds less than $100.000 have already been refunded and that some others with funds greater than this value will be able to receive their money back in the coming weeks.
However, the hacker has indicated that he will not return the money to wealthy Americans and Europeans, “who do not need” the funds back. In his message, he indicates that he will choose “who receives the refund. It may be that he receives all the return or part of it or none at all.”
Users who have been affected by the hack must explain where the money comes from and why they need the funds back, according to the conditions outlined by the attacker in their message.
Source: Etherscan
Since Cashio, the developers have created a portal to help these users submit their refund requests correctly, as the attacker also indicated that a request with incomplete information or an incorrect signature will result in “non-return” of the funds.
“The intention was only to take money from those who don't need it, not from those who do,” the message states, noting that ETH will be used to reimburse users according to the conditions imposed.
Stricter audits in DeFi
As a result of the attack, Cashio developers recognized the need and importance of establishing stricter audits of the protocols they develop within the decentralized finance ecosystem (DeFi) to better protect its users.
“Knowing that we failed to detect this exploit from one of the assets listed on Saber and lost their trust is one of the hardest parts for us,” the developers said.
At the time of the exploit, the team reported that it was willing to negotiate with the hacker for the return of funds. Additionally, he noted that they would implement a $1 million bug bounty program to detect vulnerabilities in Sabre. To improve security, they said they will prevent updates and that all smart contracts will be reviewed by authorized auditing firms.
Continue reading: Samsung and Mercado Libre confirm a data breach of their source codes
