Cyber Incident Victim: Cashio

On March 23, 2022, at approximately 08:15 UTC, an unidentified attacker exploited Cashio, a Solana-based protocol, through an infinite mint vulnerability that allowed the unauthorized creation of approximately 2 billion CASH tokens. The exploit targeted flaws in Cashio’s collateral validation system, specifically its failure to authenticate the .mint field of LP tokens deposited via saber_swap.arrow. This oversight enabled the attacker to deploy a counterfeit root contract and a series of fraudulent accounts, which bypassed validation checks by referencing each other. Cashio detected the anomaly and issued a public warning at 09:59 UTC, advising users to cease minting CASH and withdraw funds from liquidity pools while initiating an investigation. The protocol confirmed identifying the root cause and committed to publishing a postmortem analysis.

The attacker converted 2 billion fraudulently minted CASH tokens into stablecoins through SaberSwap, exchanging portions for 10.8 million UST and 16.4 million USDC, while swapping the remaining 1.97 billion CASH for 8.6 million UST and 17 million USDC. Most stolen funds were bridged to Ethereum and converted into over 16,000 ETH (valued at approximately $48 million at the time), which remained in the exploiter’s wallet. Three hours post-exploit, the attacker distributed smaller USDC amounts to multiple addresses and embedded a transaction message claiming refunds for accounts holding under 100,000 units and intent to donate remaining funds to charity. Cashio did not publicly verify the legitimacy of these refunds or charitable assertions. The incident resulted in the protocol’s complete depletion of value, with no immediate recovery efforts or third-party interventions confirmed in the available data.