Cashio Hack 2022 — $52M Exploit Analysis

Infinite mint exploit on Solana stablecoin protocol Cashio drained $52M by exploiting faulty account validation logic.

Details

Full Description

Cashio's CASH stablecoin protocol failed to properly validate the 'crate_collateral_tokens' account in its Arrow program. An attacker created fake accounts that passed validation checks and minted an unlimited supply of CASH tokens backed by nothing, then redeemed them for all available collateral in the protocol.

Laundering Analysis

Stolen funds (USDC, USDT) moved through multiple Solana wallets. Portions bridged to Ethereum via Wormhole and mixed via Tornado Cash. Cashio team and Solana community tracked fund flows. Attacker left an on-chain message claiming to target only wallets with over $100K, donating remaining to charity — unverified.

Sources

Transaction Hashes

Related Hacks

Back to Browse