TLDR: Tokens on Solana rely on validations implemented by smart contract developers. If they make one mistake, the tokens are gone. Tokens on Radix are validated by the platform itself. If you’re a developer on Radix, you can’t even make the kind of mistake that led to this hack.
On March 23 the smart contract for the Cashio stablecoin dApp was exploited for $48 million, due to an error in the smart contract’s “asset validation” logic. This type of exploit isn’t possible on Radix as the validation is handled by the Radix platform, not the smart contract.
Cashio is a dApp that allows users to mint a US dollar stablecoin, $CASH, by transferring Saber LP Tokens to Cashio’s LP token account. The LP token collateral backs the value of the stablecoin.
The Cashio smart contract monitors its Saber LP token balances, and if the deposited tokens pass the Cashio smart contract’s validation rules, Cashio mints an equivalent amount of $CASH for the user.
However, on March 23 2022, a hacker was able to create a fake contract with fake LP balances, and trick the Cashio smart contract into believing that a deposit of 27m fake LP tokens meant that it should mint 2Bn $CASH for the hacker. That 2Bn in $CASH was then sold for $48m.
The Cashio smart contract missed a small but vital step in the process of checking whether the deposited tokens were correct. Because developing tokens and smart contracts today is complex and unintuitive, these types of error are easy to make.
The root cause is that all tokens on Solana, and the validations that go with it, are the sole responsibility of the smart contract developer. Solana doesn’t provide any protections. If there’s a single mistake in the developer’s “asset validation” logic, a hacker could exploit it.
So why couldn’t this hack happen on Radix’s upcoming Babylon mainnet with smart contract capability?
The answer is that tokens are a native feature of Radix, and Radix has an in-built “DeFi Engine” that handles all the core validations. We call it Radix Engine.
With this in place, DeFi developers on Radix don’t have to worry about designing their own “asset validation” logic, because Radix Engine ensures only the correct token can be put into a vault intended for that token. It’s simply not possible to deposit a different faked version of a token into the vault.
Going back to the example, if a hacker on Radix tried creating a fake LP token, Radix Engine would just reject the transaction, because the dApp doesn’t have a vault for the fake token.
Not only does this make smart contracts on Radix way more secure, but it also saves developers tons of time, as they no longer have to worry about programming all those validations themselves.
If you’d like to learn more about why Radix’s DeFi programming language Scrypto makes developing on Radix secure and intuitive, and how Radix Engine would prevent these kind of hacks, visit https://go.radixdlt.com/rekt-retweet-1.
By Ben Fargher - RDX Works