As DeFi exploits go, this may be a first.
Cashio, a stablecoin protocol on Solana, was exploited on March 23 to the tune of $52M. Now, the hacker is asking victims to justify why they should be refunded, saying their “intention was only to take money from those who do not need it, not from those who do.”
This message was encoded in an Ethereum transaction in the early hours of Mar. 28.
Affected users are asked to explain the source of their assets and why their money should be returned. The message goes on to single out users in Western nations, saying “money will not be refunded to rich Americans and Europeans who don’t need it.”
In response, a community member set up a website for victims to submit their responses in the very specific format demanded by the hacker.
The Cashio team is encouraging users to comply.
Infinite Mint Glitch
We’ve seen all manner of stablecoin designs over the last two years, ranging from overcollateralized (DAI, MIM) to more exotic options like UST, FRAX and FEI.
In this regard, Cashio’s $CASH token is relatively simple. The protocol allows users to mint $CASH using equal amounts of USDC and USDT in the form of Saber LP tokens. $CASH tokens could then be paired with other assets to participate in numerous yield farming opportunities on Solana.
Unfortunately, an incomplete collateral validation system allowed the exploiter to mint two billion $CASH tokens using fake tokens as collateral.
This newly minted $CASH was quickly dumped on the market, sending its price plummeting to nearly zero from its intended dollar peg.