Lack of input validation
Cashio, a Solana-based stablecoin project, has been looted for millions after attackers leveraged an infinite mint glitch. Roughly $50 million of value has been drained from Cashio's protocol due to the exploit because Cashio didn't establish a root of trust for all of the accounts it used allowing the attacker to steal by forging a chain of fake accounts. Samczsun did a walkthru of the exploit.
The attacker left a note in the input data of their Ethereum transactions that "Account with less 100k have been returned. all other money will be donated to charity."
In order to mint new CASH, you need to deposit some collateral. This cross-program invocation (CPI) will transfer tokens from your account to the protocol's account, but only if the two accounts hold the same type of token. Otherwise, the token program will reject the transfer.
Here, the protocol validates that the crate_collateral_tokens account hold the right type of token by comparing it with the collateral account. It also verifies the collateral account shares the same token type as the saber_swap.arrow account.
Unfortunately, the mint field on the arrow account is never validated.
This means that ultimately, all of this validation is meaningless because there's no trusted root. The attacker just created fake accounts all the way down and then chained it all the way back up until they finally made a fake crate_collateral_tokens account.
DISCLAIMER: While Zero Friction LLC has used the best efforts in aggregating and maintaining this database, Zero Friction LLC makes no representations or warranties with respect to the accuracy or completeness, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall Zero Friction LLC be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the dataset or information derived from our database.