Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
samczsun Profile picture
samczsun
@samczsun
hunter @paradigm, powered by @openai. art by @Keiseeaaa,@vincywp. reach out via telegram https://t.co/1IDOUbRX6v

Mar 23, 2022, 7 tweets

Another day, another Solana fake account exploit. This time, @CashioApp lost around $50M (based on a quick skim). How did this happen?

In order to mint new CASH, you need to deposit some collateral. This cross-program invocation (CPI) will transfer tokens from your account to the protocol's account, but only if the two accounts hold the same type of token. Otherwise, the token program will reject the transfer.

Here, the protocol validates that the crate_collateral_tokens account hold the right type of token by comparing it with the collateral account. It also verifies the collateral account shares the same token type as the saber_swap.arrow account.

Unfortunately, the mint field on the arrow account is never validated.

This means that ultimately, all of this validation is meaningless because there's no trusted root. The attacker just created fake accounts all the way down and then chained it all the way back up until they finally made a fake crate_collateral_tokens account.

tl;dr because Cashio didn't establish a root of trust for all of the accounts it used, an attacker was able to steal approximately $50M by forging a chain of fake accounts

Turns out this thread is incomplete - here's part two!

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling