Skip to content
Est. MMXXVIVol. VI · № 310RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 310Smart Contract Bug

Cascade CLS Vault Exploit

An attacker drained about $1.34 million in USDC from the CLS liquidity vault of Cascade, a pre-launch Polychain-backed perpetuals protocol on Arbitrum, hitting locked pre-deposit user funds.

Date
Victim
Cascade
Chain(s)
Status
Funds Stolen

On July 16, 2026, Cascade — a pre-launch, Polychain-backed perpetuals protocol on Arbitrum — was exploited for approximately $1.34 million when an attacker drained USDC from its CLS liquidity vault, hitting deposits that users had locked ahead of the platform's public launch.

What happened

Cascade had raised a $15 million seed round led by Polychain and Variant in December 2025 and was still in an invite-only phase. Its CLS (Cascade Liquidity Strategy) is described in the protocol's documentation as the native liquidity engine designed to underwrite orderbook depth and liquidation flows. Ahead of the public launch, users in an invite-only "First Wave" campaign had pre-deposited USDC on Arbitrum into the CLS vault to earn reward points — funds that were locked until trading went live, meaning affected depositors had no way to withdraw before the attack. Cascade confirmed an exploit affecting the CLS vault that drained roughly 1.34 million USDC of user funds; the specific contract-level root cause had not been fully disclosed as of reporting. The attacker then moved the proceeds cross-chain, bridging from Arbitrum to Solana and onward to Ethereum via the Relay Protocol, swapping into DAI along the way — a laundering pattern favoured because DAI cannot be frozen by a central issuer the way Circle can blacklist USDC addresses.

Aftermath

Because the drained CLS deposits were pre-allocated and locked, the loss fell directly on early First Wave participants rather than on live trading liquidity. As of reporting, the stolen funds had not been recovered, and the swap into DAI across Solana made freezing or clawback unlikely. The incident cast an immediate shadow over Cascade's planned public launch and raised questions about the security review of a vault holding user capital before the platform was even live.

Why it matters

Cascade landed barely a day after Ostium, another Arbitrum perpetuals platform paused after an oracle exploit — two hits on the same chain and sector inside 48 hours. It underscores a recurring catalogue theme: pre-launch and incentive-farming vaults concentrate user capital in contracts that have not yet faced live adversarial pressure, making them attractive early targets. The cross-chain USDC-to-DAI laundering route through Solana mirrors the exit path taken in the Summer.fi exploit days earlier, reflecting how attackers increasingly standardise on non-freezable assets to lock in gains before recovery efforts can begin.

Sources & on-chain evidence

  1. [01]cryptotimes.iohttps://www.cryptotimes.io/2026/07/16/polychain-backed-cascade-hacked-for-1-34m-in-locked-user-funds/
  2. [02]protos.comhttps://protos.com/more-oracle-exploits-as-ostium-loses-over-20m/

Related filings