Hacker who cracked Cashio returned the funds to “poor wallets”
The journalistic cliché that “the DeFi world was rocked by a hack” could be used again.
But, the truth is that the DeFi world is already getting used to such incidents: unfortunately, the relatively young decentralized finance industry is constantly under attack from the more mature cybercrime industry. So, on March 23, 2022, the CASHio team, a decentralized platform based on the Solana blockchain, announced that an unknown attacker managed to use a “hole” in the CASH token generation algorithm, provoking “endless emission”.
As a result, the hacker withdrew cryptocurrency assets with a market value of $52 million from the CASHio pool. This was the second-largest DeFi hack, after the infamous Wormhole exploit, which caused a $320 million loss.
CASH coins are created by providing USDT and USDC stablecoins as bail on the Saber decentralized exchange. A bug at the code level was the ability to run infinity minting without a corresponding balancing reaction at the other end of the algorithm.
We can say that “2 + 2” in the system temporarily ceased to be equal to “4”, but the system continued to function as if this result did not affect anything.
The fraud exploited the bug to generate 2 billion “illegal” tokens and then quickly got rid of them, raising over $50 million in total.
The day before these events, the coin was worth $1, which is exactly what a cryptocurrency supported by stablecoins in a ratio of 1:1 should be worth.
However, the digital economy (unlike the protocol’s own algorithm) cannot be deceived, therefore, as soon as the ratio of CASH and bail changed dramatically, the value of the token instantly collapsed to almost zero, which automatically made all investors affected.
Also, users panicked to withdraw their funds, which reduced the number of blocked assets on the platform by more than 50 times.
The appearance of Robin Hood
In the note to the transaction, the hacker left a message, due to which he received the nickname “Robin Hood”. The essence of the message was the return of funds to “poor” users (wallets with a balance of less than 100,000 coins), and the refusal to reimburse “rich” wallets.
A beautiful gesture, but let’s be fair: the real Robin Hood gave to the poor what he took from the rich. And our “hero” simply returned the money to the poor.
After a while, articles were “cleaned up” on Medium with some statements from Cashio made in the short term. In particular, attempts to view statements that the team will not refund users, as well as the proposed reward of $ 1 million for the hacker in case of a refund, result in a “404” error.
The removal of these posts shows the project’s emotional reaction to the events that have taken place, and a lot of stress when making the first decisions.