Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 084Smart Contract Bug

Cashio Infinite Mint Glitch

Two missing collateral checks let an attacker mint 2 billion fake CASH stablecoins on Cashio, dropping TVL from $48M to zero in one transaction.

Date
Victim
Cashio
Chain(s)
Solana
Status
Funds Stolen

On March 23, 2022 at 08:15 UTC, the Solana stablecoin protocol Cashio was drained for approximately $48 million via an infinite-mint exploit. Over 2 billion CASH tokens were minted from collateral that did not exist; CASH's price fell from $1.00 to roughly $0.00005 within hours.

What happened

Cashio minted its CASH stablecoin against deposits of USDC/USDT LP tokens from the Saber DEX. The minting path was a chain of account validations:

  1. The user provided a saber_swap.arrow account representing their LP position.
  2. The protocol used this account to find the corresponding crate_collateral_tokens account.
  3. The protocol verified that the LP tokens were real, then minted CASH at a 1:1 USD ratio.

The Cashio code was missing two essential validation checks:

  • No verification of the saber_swap.arrow account's mint field — the protocol accepted any account presented as the Saber LP source.
  • No verification of the crate_collateral_tokens account's authority — any caller could construct a "collateral" account.

The attacker constructed a fake saber_swap.arrow account pointing at a fake crate_collateral_tokens account they controlled, deposited zero real value, and minted CASH against it. Repeating the loop, they minted 2 billion CASH and immediately swapped it for USDC and other real assets through Saber pools.

By the time Cashio's team issued the "infinite mint" alert at 09:59 UTC, the protocol's TVL was effectively zero and CASH had lost its peg permanently.

Aftermath

  • The attacker returned a portion of the funds to small holders (under $100,000) but kept the rest.
  • Cashio never recovered and effectively wound down.
  • The protocol had launched without a formal audit — a fact widely cited in the post-mortem analyses.

Why it matters

Cashio became the canonical example of why every external account passed to a Solana program must have its mint/owner/authority cryptographically verified against expected values, not merely structurally type-checked. The same class of bug — missing constraint on a passed-in account — has accounted for a meaningful fraction of all Solana program exploits since.

It also reinforced the harder lesson that shipping an unaudited stablecoin to mainnet is a finite-life proposition.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-cashio-hack-march-2022
  2. [02]theblock.cohttps://www.theblock.co/post/138934/stablecoin-cashio-on-solana-exploited-for-28-million-in-infinite-mint-glitch
  3. [03]coindesk.comhttps://www.coindesk.com/tech/2022/03/23/stablecoin-cashio-suffers-infinite-glitch-exploit-tvl-drops-by-28m

Related filings