Share this page!

Maybe Scrolly?
samczsun Profile picture
Twitter logo
Mar 23 7 tweets 3 min read
Another day, another Solana fake account exploit. This time, @CashioApp lost around $50M (based on a quick skim). How did this happen? Image
In order to mint new CASH, you need to deposit some collateral. This cross-program invocation (CPI) will transfer tokens from your account to the protocol's account, but only if the two accounts hold the same type of token. Otherwise, the token program will reject the transfer. Image
Here, the protocol validates that the crate_collateral_tokens account hold the right type of token by comparing it with the collateral account. It also verifies the collateral account shares the same token type as the saber_swap.arrow account. Image
Unfortunately, the mint field on the arrow account is never validated. Image
This means that ultimately, all of this validation is meaningless because there's no trusted root. The attacker just created fake accounts all the way down and then chained it all the way back up until they finally made a fake crate_collateral_tokens account. Image
tl;dr because Cashio didn't establish a root of trust for all of the accounts it used, an attacker was able to steal approximately $50M by forging a chain of fake accounts
Turns out this thread is incomplete - here's part two!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with samczsun

samczsun Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @samczsun

samczsun Profile picture
Feb 3
How did the @wormholecrypto exploit work? I joined forces with @gf_256 and @ret2jazzy to reverse engineer the exploit, and now that it's been patched we can finally share it with you👇 Image
First, we had to determine where the exploit occurred. Ethereum, or Solana? A quick check of the encoded VM that the attacker submitted showed that it contained valid signatures from the guardians. This meant that either they got the private keys, or they exploited the bridge. Image
Given that the attackers had left over $600MM in tokens in the bridge, I figured that the latter was more likely. Sure enough, there was a corresponding transaction on Solana where the attacker bridged out the ETH.

solscan.io/tx/5UaqPus91wv… Image
Read 15 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(