think&dev.
← BACK TO BLOG

Cashio hack: how to improve security and avoid $52.8 million loss

Cashio hack: how to improve security and avoid $52.8 million loss
15 de abril de 2022
demian
1 min de lectura
0
Categoría:
Security
Tags:
arrow protocolcyberattackhacksecurity
[vc_custom_heading text="Our Research Team advised against the risks of Solana’s Cashio application. 3 months later, Cashio was hacked and drained $52.8 million" font_container="tag:h2|font_size:3em|text_align:left|color:%23193762|line_height:1.1em" el_class="top_title_blog"][vc_empty_space height="30px"][vc_empty_space height="30px"][vc_custom_heading text="Arrow Protocol risk detected" font_container="tag:h4|font_size:1.7em|text_align:left|color:%23294160"]
Back in January 2022, one of our main partners asked us to integrate Arrow Protocol with his solution on top of Solana’s network. After some research, the Think & Dev team found that an application named Cashio had Arrow Protocol integrated, so we decided to take a look and see how it worked. As this protocol does not have much documentation on how to integrate it and its code is unaudited, our highly experienced research team warned that using it would be very risky. 
[vc_empty_space height="30px"][vc_custom_heading text="How does Arrow work?" font_container="tag:h4|font_size:1.7em|text_align:left|color:%23294160"][vc_empty_space height="30px"]
Deposits should be staked into Sunny Aggregator and Quarry (As Sunny is built on top of Quarry) in a Crate for $SUNNY and $SBR yields via Arrow Protocol. 
[vc_empty_space height="30px"][vc_custom_heading text="What is Sunny?" font_container="tag:h4|font_size:1.7em|text_align:left|color:%23294160"][vc_empty_space height="30px"]
The Sunny Aggregator protocol is a decentralized protocol governed by the Sunny DAO. “SUNNY” is a governance token and will be used to make decisions about the future of the protocol.
[vc_empty_space height="30px"][vc_custom_heading text="How does the Arrow Protocol work step by step?" font_container="tag:h4|font_size:1.7em|text_align:left|color:%23294160"][vc_empty_space height="30px"]
  • First of all Arrow set up a Quarry and a Rewarder for the LP Token.
  • Setup a Sunny Pool using this Rewarder .
  • Create another Quarry and Rewarder using the latest Sunny Pool - With all this objects, creates a New Arrow (using the Sunny Pool, the latest Rewarder, adding a beneficiary, etc).
  • Then the user should be able to stake or unstake LP Tokens. 
  • Here we can see how to implement a Happy Path and the stake and unstake actions. 
[vc_single_image image="975" img_size="full"][vc_empty_space height="30px"][vc_custom_heading text="Risks detected" font_container="tag:h4|font_size:1.7em|text_align:left|color:%23294160"][vc_empty_space height="30px"]
  • Unaudited code. 
  • There are no tests to obtain the rewards, but there are a couple of methods in the protocol, “claim” and “withdraw_rewards_to_beneficiary”. 
  • No error testing, just a happy path.
  • Lack of communication.
  • Lack of documentation.
  • The Arrow protocol takes a 10% fee on all claimed tokens.
  • Integration with other applications such as Cashio is not yet complete. Cashio has no productive farming.
  • Arrow Protocol application does not show APY.
  •  Sunny has a Saber LP sublist, for example this quarry "Saber UST-CASH LP" is not in the Sunny list.Sunny gives more APY than quarry, less lp pools are accepted as deposit format.
[vc_empty_space height="30px"][vc_custom_heading text="Cashio Hack" font_container="tag:h4|font_size:1.7em|text_align:left|color:%23294160"][vc_empty_space height="30px"]
Sadly on March 25th, Cashio, which was following the Arrow protocol, was hacked and drained $52.8 million, which made Cash stablecoin collapsed from $1 to $0.00005, leaving the entire DeFi ecosystem appalled.
[vc_empty_space height="30px"][vc_custom_heading text="How did it happen?" font_container="tag:h4|font_size:1.7em|text_align:left|color:%23294160"][vc_empty_space height="30px"]
Aparently a flaw in Cashio’s codebase allowed a hacker to mint “two billion Cash tokens' by using the perpetrator’s unknown tokens. As Cashio did not have a root of trust for the accounts that it used, this rendered the validation process useless and enabled the hacker to forge a chain of fake accounts in order to mint the 2 billion CASH token.Also, the hacker burnt part of the minted Cash tokens for the Saber USDT-USDC LP tokens. Then swapped the LP pair tokens for $16.4 million USDC and $10.8 million USDT.The remaining Cash tokens were swapped out for $8.6 million UST and $17 million USDC through Saber. Finally, after draining $52.8 million, the hacker swapped $15.3 million in USDC and USDT.The Jupiter liquidity aggregator on Solana was the tool used to transfer the funds in 3 transactions to an Ethereum address through the Wormhole Bridge.
[vc_empty_space height="70px"]
[vc_widget_sidebar sidebar_id="cesis_mc_sidebar"]
[vc_row_inner][vc_column_inner offset="vc_col-lg-3 vc_col-md-3 vc_hidden-sm vc_col-xs-12 vc_hidden-xs" css=".vc_custom_1605321707188{padding-top: 2em !important;padding-bottom: 1em !important;}"][/vc_column_inner][vc_column_inner offset="vc_col-lg-3 vc_col-md-3 vc_hidden-sm vc_col-xs-12 vc_hidden-xs" css=".vc_custom_1605321712210{padding-top: 2em !important;padding-bottom: 1em !important;}"][vc_images_carousel images="326,324,323,325,322" img_size="200 x 100" onclick="custom_link" slides_per_view="5" hide_pagination_control="yes" hide_prev_next_buttons="yes" css=".vc_custom_1604625479900{margin-top: 1.5em !important;}" custom_links="#E-8_aHR0cHMlM0ElMkYlMkZ0d2l0dGVyLmNvbSUyRlRoaW5rYW5kRGV2JTJDaHR0cHMlM0ElMkYlMkZ3d3cubGlua2VkaW4uY29tJTJGY29tcGFueSUyRnRoaW5rLWFuZC1kZXYtbGxjJTJGJTJDbWFpbHRvJTNBaGVsbG8lNDB0aGlua2FuZGRldi5jb20lMkNodHRwcyUzQSUyRiUyRnQubWUlMkZ0aGlua2FuZGRldiUyQ2h0dHBzJTNBJTJGJTJGZGlzY29yZC5nZyUyRnM5S0ZnSnBKJTIw"][/vc_column_inner][vc_column_inner offset="vc_col-lg-3 vc_col-md-3 vc_hidden-sm vc_col-xs-12 vc_hidden-xs" css=".vc_custom_1605321716379{padding-top: 2em !important;padding-bottom: 1em !important;}"]
think and dev (c) all rights reserved
[/vc_column_inner][vc_column_inner offset="vc_col-lg-3 vc_col-md-3 vc_hidden-sm vc_col-xs-12 vc_hidden-xs" css=".vc_custom_1605321720195{padding-top: 2em !important;padding-bottom: 1em !important;}"][cesis_button button_text="Back to the top" link="#top_title_blog" button_size="cesis_button_custom" button_width="65%" button_height="50%" button_radius="15" margin_top="10" margin_left="40" button_bg_color="#335485" button_f_size="19px" button_t_transform="none"][/vc_column_inner][/vc_row_inner]
Última actualización: 14 de abril de 2022