Cashio

2021-11-23

Ian Macalinao, operating as 0xGhostchain, tells the Cashio Discord community 'I personally audited it,' a claim he later contradicts.

2021-11-01

Cashio is launched on Solana, built by Ian Macalinao under the pseudonym 0xGhostchain, as part of an ecosystem of protocols around the Saber DEX. The code was reportedly rushed to meet a Breakpoint conference deadline.

2022-03-23

Attacker exploits a missing collateral validation flaw in Cashio's smart contract at approximately 8:23 AM UTC, minting ~2 billion CASH tokens backed by worthless fake collateral and draining approximately $52 million in real assets. CASH token collapses to near zero.

2022-03-23

Attacker embeds on-chain message: 'Account with less 100k have been returned. all other money will be donated to charity.' Saber pauses withdrawals to Cashio pools and freezes smart contracts.

2022-03-23

Ian Macalinao publicly acknowledges 'I did not audit Cashio as carefully as I should have,' contradicting prior claims.

2022-03-26

Ian Macalinao writes (in an unpublished blog post) that Cashio's code was insecure because it was 'rushed for this deadline' and pledges to repay affected users from personal token holdings — a promise he does not fulfill.

2022-03-28

Attacker posts second message stating intention was to redistribute wealth and invites victims with over $100,000 in losses to apply for refunds. Saber team states they cannot compensate depositors.

2022-03-31

Attacker opens a refund application process requiring victims to explain why they need their money back; large accounts held by wealthy individuals are excluded from consideration.

2022-06-01

Cashio announces plans on Medium for a new protocol to help victims; approximately $25 million in stolen funds remain unrecovered. Team goes silent on social media.

2022-08-04

CoinDesk publishes 'Master of Anons,' revealing that Ian and Dylan Macalinao operated 11 fake developer identities to inflate Solana DeFi TVL, with Cashio (via 0xGhostchain) being one of those projects.