Web3 tumbles as the Solana-based stablecoin Cashio lost its value after an experienced attacker exploited it for around $28 million. As the bloodshed of rug pulls grows, it is worth discussing what is at stake in the bigger picture.
Related Reading | Coinbase Discards Cryptocurrency Links After ‘Rug Pull’ Threats
How It Happened
A researcher from Paradigm explained the $50M attack.
Another day, another Solana fake account exploit. This time, @CashioApp lost around $50M (based on a quick skim). How did this happen? pic.twitter.com/t7ThWL4zr1
— samczsun (@samczsun) March 23, 2022
Cashio users minted the token CASH by depositing Saber USDT-USDC LP tokens as collateral. Saber is a cross-chain Automated Market Maker for pegged assets on Solana.
Although the protocol validates accounts of token holders, Cashio’s validation system was incomplete because it didn’t provide a root of trust. This opened up the door for the infinite mint.
The researcher further explained that “The attacker just created fake accounts all the way down and then chained it all the way back up until they finally made a fake crate_collateral_tokens account.”
This way, they were able to mint LP tokens from $CASH pool with any token, “then burned for SaberSwap LP tokens which were cashed out for 10.8M UST and 16.4M USDC, and the remaining 1.97B CASH were swapped for 8.6M UST and 17M USDC on SaberSwap.”
The price of $CASH tanked to nothing and the exploiter left an intriguing message:
“Account with less 100k have been returned. all other money will be donated to charity.”
It was confirmed that the hacker reimbursed some of the stolen funds to wUST and USDC pools. But charity? We don’t think so.
The Solana Robinhood?
Joe McGill from TRM Labs is helping to identify the culprit and confirmed that they are working with a lead provided by the writer Stefan Stankovic from Cryptobriefing, who found out that the exploiter could be a 16 years old male teenager (or so he said here) who goes by the name Ariusuha and has been involved in multiple rug-pulls.
Recent findings show that the wallet of the exploiter, 6D7f, was funded by the wallet sWZs, which has been previously linked to the mentioned NFT rug pulls. Doodle Dragons NFT, Balloonsville NFT, and for Fine Folks. In the case of the former, it had promised to donate $30,000 to WWF and when it rug pulled, its now-deleted Twitter account posted this message:
So we can assume what will happen with Ariusuha’s lastest charitable intention.
But this latest attack might have been too big for Ariusuha. Stankovic’s research found that Ariusuha might have a profile on OpenSea, which is connected to an Ethereum wallet previously funded by the centralized exchange FTX. This could easily lead authorities to the attacker.
Related Reading | Ethereum DAO Hacker Doxxed? How This Chainalysis Tool Led To His Identity
The Danger Of Web3
The Web3 ecosystem keeps seeing projects being rug pulled over and over again. And many users refuse to give up on it, but why?
Many NFT/Web3 fanatics seem to be very young. They usually like to brag about it. Focusing on the young for now, let’s take a peek into a possible pattern of this modern social phenomenon:
- Bragging: young generations seem to have a big pressure to quickly become millionaires. Make money fast so you can post about it. Similar to the complaints the beauty industry receives about its dangerous effects through social media, we might be seeing a similar case with money.
- Modern worries: on the other hand, younger generations face the raw reality of increasing inflation and jobs that do not pay enough. How to provide? How to succeed? Social media shows many people who seem to have profited so much by doing so little. Many cannot help but wonder: why work so much and still not have enough for retirement?
- Context: a world that already seems dystopian. The pandemic, politics, war, etc etc etc.
- Dispair: either of these scenarios, vain or not, could be the source of silent despair. How can we cope? [Scroll, scroll, post a selfie, scroll] “You too can become a millionaire a live carefree,” a post promises.
- Dreams: and something that seems fun and colorful promises to be a project like no other. They claim to be transparent, sustainable, the design looks like it’s going to make money, other projects have, and they might throw the word ‘decentralized’ in there too.
But not all users can tell many of these projects have security issues and they get scammed. And even if they know it’s risky, that silent social despair might be helping to push them in anyhow. And the scammers have learned how to bait a rug.
If the Web3 ecosystem doesn’t trace clear limits to prevent this, users will always be playing with a double-ended sword that might eventually pop the bigger bubble and turn into the largest losses yet.
Perhaps it is not only jpegs that are being exploited, but the whole human psyche.