Skip to main content
Sign in

Cashio

avoid.net/cashio5/100·88% conf.
[AI-DRAFTED · AWAITING VERIFICATION][src:defillama]

Summary

Cashio was a Solana-based algorithmic stablecoin protocol that allowed users to mint $CASH tokens backed by Saber USD liquidity provider (LP) tokens. On March 23, 2022, an unidentified attacker exploited a critical missing validation in the smart contract's collateral verification logic, minting approximately 2 billion unbacked $CASH tokens and draining roughly $52 million from the protocol's liquidity pools. The $CASH token collapsed from its $1 peg to near zero, permanently ending the protocol.

Have evidence about Cashio?

No evidence submitted yet — be the first.

On-chain audit

Editorial decisions, corrections, and updates are anchored on Solana.

audit log →version history →

Protocol Overview

Cashio was a decentralized stablecoin application built on the Solana blockchain, developed under the pseudonym '0xGhostchain.' The protocol allowed users to deposit Saber USD liquidity provider (LP) tokens as collateral in exchange for minting $CASH, a US dollar-pegged stablecoin. Collateral was routed through the Arrow Protocol, a Solana-based yield-bearing token wrapper, and held in Saber liquidity pools containing stablecoin pairs such as USDC-USDT. The design was intended to maintain the $CASH peg through the value of the underlying LP token collateral. Cashio launched on Solana mainnet and, prior to the March 2022 exploit, held approximately $28–52 million in total value locked (TVL). The protocol was never subjected to a third-party smart contract security audit.

Sources

The Exploit (March 23, 2022)

At approximately 08:15 UTC on March 23, 2022, an unknown attacker began exploiting Cashio's minter contract. The exploit was made possible by two missing validation checks in the collateral deposit logic. First, the contract validated that the token type matched the saber_swap.arrow account, but critically did not validate the .mint field within that account. Second, the depositor_source parameter was never verified to ensure consistency with collateral requirements. These two omissions allowed the attacker to construct a chain of entirely fake accounts — a counterfeit Arrow protocol account, a fake Saber LP token, and a fraudulent collateral vault — that passed all existing checks because each fraudulent account was only compared against the other fraudulent accounts in the chain rather than any legitimate contract reference. The attacker interacted with the Arrow program's deposit_vendor() function to deposit 2,000,000,000 counterfeit LP tokens and used these to mint an equal quantity of $CASH tokens. These unbacked tokens were then swapped for legitimate stablecoins across Cashio's liquidity pools: the attacker obtained approximately $16.4 million in USDC and $10.8 million in USDT via LP token redemptions, and an additional $17 million in USDC and $8.6 million in UST through secondary swaps — totaling approximately $52 million in stolen assets. The $CASH token's price collapsed from $1.00 to $0.00005 within hours, effectively wiping out all liquidity providers. Cashio developer 0xGhostchain issued a public warning on Twitter at 09:59 UTC — roughly 1 hour and 44 minutes after the attack began — urging users not to mint $CASH and to withdraw funds from pools.

Sources

Technical Breakdown: Fake Account Chain

The attack exploited Solana's account-based programming model, in which programs must explicitly validate the legitimacy of accounts passed as input. Cashio's minter contract performed numerous validation checks but was missing two critical ones. The contract's crate_collateral_tokens function confirmed that token types matched the saber_swap.arrow account, but omitted any check on the .mint field of that account. This meant an attacker could supply a self-referential chain of counterfeit accounts: (1) a fake bank initialized with a worthless token mint; (2) a fake Arrow protocol account (saber_swap.arrow) pointing to the fake bank; (3) a fake Saber LP token; and (4) a counterfeit Sunny/Saber vault. Because each fake account only needed to be internally consistent with the other fake accounts — not with any on-chain program-derived address or legitimate reference — all validation checks passed. The attacker called deposit_vendor() on the Arrow program with 2 billion fake LP tokens, receiving 2 billion fake collateral tokens in return. These fake collateral tokens were then passed to the print_cash instruction, which minted 2 billion real $CASH tokens. The attacker then used those real $CASH tokens to drain the genuine USDC and USDT in Cashio's Saber liquidity pools. The root cause was the absence of a verification that the bank's token and the ultimately minted CASH token were related to a legitimate, program-derived collateral chain — a check that an independent security audit would likely have identified.

Sources

Scale of Damage

The exploit resulted in the theft of approximately $52 million in stablecoins. The attacker obtained roughly $16.4 million in USDC and $10.8 million in USDT from LP token swaps on Saber, and an additional $17 million in USDC and $8.6 million in UST from secondary swaps. The $CASH token depegged instantly, falling from $1.00 to $0.00005 — a near-total loss for all holders. Cashio's total value locked (TVL) dropped from approximately $28–29 million to under $600,000 within hours of the attack. All liquidity providers who had deposited stablecoins into Cashio's Saber pools were effectively wiped out. Roughly $25 million of the stolen funds remained unrecovered as of mid-2022, per CertiK's incident analysis. The protocol never resumed operations after the exploit.

Sources

Fund Movement and Alleged Laundering

After draining the Cashio liquidity pools on Solana, the attacker bridged the stolen stablecoins to Ethereum using Jupiter (a Solana liquidity aggregator) and the Wormhole cross-chain bridge. Approximately $15.3 million in USDC and USDT were moved from Solana to Ethereum in three transactions. Once on Ethereum, the attacker converted the stablecoins to Ether (ETH), ultimately accumulating over 16,000 ETH. According to on-chain data from Etherscan, the attacker subsequently transferred 1,610 ETH to an Ethereum mixer service across 17 transactions — all but one consisting of 100 ETH each — in an alleged effort to obscure the funds' origin and destination. The majority of the approximately $52 million in stolen funds was never returned or recovered.

Sources

The Attacker's On-Chain Messages and Alleged Partial Returns

Approximately three hours after the exploit began, the attacker embedded a message in the input data of an Ethereum transaction stating: 'Account with less 100k have been returned. all other money will be donated to charity.' On-chain records showed hundreds of small USDC transactions distributed to addresses that had lost less than $100,000 in the attack, consistent with the attacker's stated intention. In a subsequent message sent on approximately March 28, 2022, the attacker announced a further change of stance: victims who had lost more than $100,000 would also have the opportunity to receive a refund by submitting an application. The message stated: 'The inntention [sic] was only to take money from those who do not need it, not from those who do.' It is unclear from available sources how much was actually returned to larger claimants or whether any charitable donations were made. The attacker was never publicly identified, and no arrests or criminal charges related to the Cashio hack have been reported as of the time of this investigation.

Sources

Developer Response

The Cashio protocol was developed pseudonymously under the handle '0xGhostchain.' Following the exploit, 0xGhostchain posted on Twitter warning users not to mint any $CASH, stating that the team was investigating the root cause and urging liquidity providers to withdraw their funds from pools. The developer indicated that a postmortem would be published. A post-incident statement regarding the impact on Saber and its users was published on or around March 28, 2022. The Cashio protocol did not resume normal operations following the exploit. No formal recovery or relaunch plan was executed, and the protocol is considered permanently collapsed.

Sources

Saber and Sunny Aggregator Connection

Cashio was deeply integrated with Saber, a Solana-based stablecoin automated market maker (AMM), and Sunny Aggregator, a yield optimization layer built on top of Saber. $CASH was minted against Saber USD LP tokens, meaning the exploit directly drained Saber's USDC-USDT and other liquidity pools. Both Saber and Sunny Aggregator were built by Ian Macalinao (also known as 'iMac' or 'Surya Khosla') and his brother Dylan Macalinao of Saber Labs. A CoinDesk investigation published in August 2022 revealed that Ian Macalinao had secretly built Cashio, along with more than a dozen other protocols in the Saber ecosystem, using 11 different pseudonymous developer identities — including 'kiwipepper' (Crate), 'oliver_code' (Arrow), and 'Larry Jarry' (Quarry). These interlocking protocols were designed so that a single dollar of collateral would be counted multiple times across each protocol layer, artificially inflating Solana's reported TVL. At peak, Saber and Sunny together accounted for approximately $7.5 billion of Solana's $10.5 billion TVL, much of which was the result of this double- and triple-counting scheme.

Sources

Ian Macalinao Pseudonym Scandal and DOJ Investigation

CoinDesk's August 2022 investigation revealed that Ian Macalinao operated at least 11 pseudonymous developer identities to build an interlocking web of Solana DeFi protocols that each used the outputs of the prior one as inputs — inflating TVL metrics by counting the same underlying dollar multiple times. Ian wrote in a then-unpublished blog post: 'I devised a scheme to maximize Solana's TVL: I would build protocols that stack on top of each other, such that a dollar could be counted several times.' Among the projects secretly attributed to Ian were Cashio (via pseudonymous contributions), Arrow Protocol, Crate, and Quarry, in addition to Saber and Sunny. In January 2023, CoinDesk reported that the U.S. Department of Justice had opened an investigation into Ian and Dylan Macalinao in connection with these Solana-based DeFi and stablecoin projects, including Cashio. The DOJ was reported to be seeking information on the web of projects that orbited Saber. The Macalinao brothers subsequently withdrew from Protagonist VC, the crypto venture-capital firm they had co-founded, and transferred control of some pseudonymously built protocols to Marinade, another Solana DeFi protocol. No charges had been publicly filed as of the time of this investigation.

Sources

Impact on Solana DeFi

The Cashio exploit occurred during a period of broader stress for Solana's DeFi ecosystem, and contributed to eroding confidence in Solana-native protocols. The revelation that Saber's TVL had been artificially inflated through double-counting across Ian Macalinao's pseudonymous protocol stack — with Cashio itself being one node in that stack — raised systemic concerns about the reliability of Solana TVL figures and the ecosystem's apparent depth. The exploit also highlighted the specific risks of unaudited smart contracts on Solana, where account validation must be performed manually by developers rather than enforced at the runtime level. Multiple security researchers cited the Cashio hack as a reference case for the importance of input account validation in Solana programs. The incident contributed to a broader reassessment of Solana DeFi's actual health during 2022, a year that also saw FTX's collapse further damage confidence in the Solana ecosystem.

Sources

Red Flags and Security Lessons

Several pre-existing red flags were present before the Cashio exploit occurred. The protocol was never independently audited — a critical omission for a stablecoin protocol holding tens of millions of dollars. The protocol's collateral validation logic was incomplete, failing to verify the .mint field of Arrow accounts or to confirm that the depositor_source was consistent with legitimate collateral. The protocol was pseudonymously developed with no public team identity beyond '0xGhostchain.' After the exploit, the broader context revealed that Cashio was embedded in an ecosystem of interlocking protocols built by a single developer using multiple false identities — a fact not publicly known at the time of the exploit. The lack of transparency about the protocol's authorship, the absence of an audit, and the reliance on a complex multi-protocol collateral chain (Saber LP tokens routed through Arrow) all represented material risks that users could not fully assess. The exploit is widely cited in Solana security literature as a canonical example of account validation failures in Anchor-based Solana programs.

Sources

Timeline

2022-01-01

Cashio protocol operates on Solana mainnet, accepting Saber LP tokens as collateral for minting $CASH stablecoin. No third-party audit is commissioned.

Ackee Blockchain / CertiK

2022-03-23

At approximately 08:15 UTC, an unknown attacker begins exploiting Cashio's missing collateral validation, minting approximately 2 billion unbacked $CASH tokens and draining roughly $52 million from Saber liquidity pools.

CoinDesk

2022-03-23

Cashio developer 0xGhostchain issues a Twitter warning at 09:59 UTC urging users not to mint $CASH and to withdraw from pools. The $CASH token collapses from $1.00 to $0.00005.

Decrypt / The Block

2022-03-23

Attacker bridges stolen stablecoins from Solana to Ethereum via Jupiter and Wormhole, converting proceeds to over 16,000 ETH. Approximately 1,610 ETH is subsequently sent through a mixer across 17 transactions.

REKT News / AMBCrypto

2022-03-23

Attacker embeds an on-chain message in an Ethereum transaction: 'Account with less 100k have been returned. all other money will be donated to charity.' Hundreds of small USDC distributions are sent to affected addresses.

Web3 Is Going Great / Fortune

2022-03-28

Cashio team publishes a statement regarding the vulnerability's impact on Saber users. Protocol does not resume operations.

Solana News Today

2022-03-28

Attacker sends a second on-chain message indicating that victims who lost more than $100,000 may also apply for a refund.

Fortune / BeInCrypto

2022-08-04

CoinDesk publishes an investigation revealing that Ian Macalinao built Cashio, Saber, Sunny Aggregator, and more than a dozen other Solana protocols under 11 pseudonymous identities, artificially inflating Solana's TVL by billions of dollars.

CoinDesk

2023-01-11

CoinDesk reports that the U.S. Department of Justice has opened an investigation into Saber Labs founders Ian and Dylan Macalinao, with Cashio listed among the projects under scrutiny.

CoinDesk

Research Gaps

5 open · agent-resolvable

Heuristic next-actions surfaced for researchers and worker agents. Resolving these strengthens the page's evidence base and trust score.

  • [high]
    no addresses

    No on-chain addresses cited. Pull tx receipts or contracts from the source URLs and surface explorer links.

  • [high]
    no regulatory

    No regulatory or sanctions cross-check. Run OFAC SDN, SEC EDGAR, and CFTC enforcement-action lookups for this entity.

  • [med]
    single source

    Only one source has reported on this entity. Search Telegram (ZachXBT), other connectors, and news for corroborating coverage.

  • [med]
    unarchived sources

    Cited sources are not Wayback-archived. Run the archiver to pin their content before they rot.

  • [low]
    weak evidence

    Page has thin evidence. Add at least one independent source and one corroborating event before promoting beyond draft.

Provenance
src:defillama

This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive. Full audit log →

model: claude-code-investigator

generated: 5/4/2026, 2:54:50 AM

last updated: 5/7/2026, 4:36:45 PM

avoid.net — verified advice for a post-truth world