Our Research Team advised against the risks of Solana’s Cashio application. 3 months later, Cashio was hacked and drained $52.8 million
Arrow Protocol risk detected
Back in January 2022, one of our main partners asked us to integrate Arrow Protocol with his solution on top of Solana’s network. After some research, the Think & Dev team found that an application named Cashio had Arrow Protocol integrated, so we decided to take a look and see how it worked. As this protocol does not have much documentation on how to integrate it and its code is unaudited, our highly experienced research team warned that using it would be very risky.
How does Arrow work?
Deposits should be staked into Sunny Aggregator and Quarry (As Sunny is built on top of Quarry) in a Crate for $SUNNY and $SBR yields via Arrow Protocol.
What is Sunny?
The Sunny Aggregator protocol is a decentralized protocol governed by the Sunny DAO. “SUNNY” is a governance token and will be used to make decisions about the future of the protocol.
How does the Arrow Protocol work step by step?
- First of all Arrow set up a Quarry and a Rewarder for the LP Token.
- Setup a Sunny Pool using this Rewarder .
- Create another Quarry and Rewarder using the latest Sunny Pool – With all this objects, creates a New Arrow (using the Sunny Pool, the latest Rewarder, adding a beneficiary, etc).
- Then the user should be able to stake or unstake LP Tokens.
- Here we can see how to implement a Happy Path and the stake and unstake actions.
- Unaudited code.
- There are no tests to obtain the rewards, but there are a couple of methods in the protocol, “claim” and “withdraw_rewards_to_beneficiary”.
- No error testing, just a happy path.
- Lack of communication.
- Lack of documentation.
- The Arrow protocol takes a 10% fee on all claimed tokens.
- Integration with other applications such as Cashio is not yet complete. Cashio has no productive farming.
- Arrow Protocol application does not show APY.
- Sunny has a Saber LP sublist, for example this quarry “Saber UST-CASH LP” is not in the Sunny list.Sunny gives more APY than quarry, less lp pools are accepted as deposit format.
Sadly on March 25th, Cashio, which was following the Arrow protocol, was hacked and drained $52.8 million, which made Cash stablecoin collapsed from $1 to $0.00005, leaving the entire DeFi ecosystem appalled.
How did it happen?
Aparently a flaw in Cashio’s codebase allowed a hacker to mint “two billion Cash tokens’ by using the perpetrator’s unknown tokens.
As Cashio did not have a root of trust for the accounts that it used, this rendered the validation process useless and enabled the hacker to forge a chain of fake accounts in order to mint the 2 billion CASH token.
Also, the hacker burnt part of the minted Cash tokens for the Saber USDT-USDC LP tokens. Then swapped the LP pair tokens for $16.4 million USDC and $10.8 million USDT.
The remaining Cash tokens were swapped out for $8.6 million UST and $17 million USDC through Saber. Finally, after draining $52.8 million, the hacker swapped $15.3 million in USDC and USDT.
The Jupiter liquidity aggregator on Solana was the tool used to transfer the funds in 3 transactions to an Ethereum address through the Wormhole Bridge.