Infinite mint exploit on Solana stablecoin protocol Cashio drained $52M by exploiting faulty account validation logic.
Cashio's CASH stablecoin protocol failed to properly validate the 'crate_collateral_tokens' account in its Arrow program. An attacker created fake accounts that passed validation checks and minted an unlimited supply of CASH tokens backed by nothing, then redeemed them for all available collateral in the protocol.
Stolen funds (USDC, USDT) moved through multiple Solana wallets. Portions bridged to Ethereum via Wormhole and mixed via Tornado Cash. Cashio team and Solana community tracked fund flows. Attacker left an on-chain message claiming to target only wallets with over $100K, donating remaining to charity — unverified.
3sZnL6MRV5GkQqB9TWzWjvQJ9DTSSXkQxCuTBKNpBXVEuLBKK3wBrAHAPfaKJxCiVJ6RRxBY6RWiB1LzqPnM2a3