Solutions

Company

Resources

Blog

Contact

Login

    • Advisory

      AI Advisory

      Strategic guidance for secure AI adoption

      Blockchain Architecture Assessment

      Reviewing blockchain designs for security and resilience

      Compliance Readiness

      Aligning controls to evolving regulatory mandates

      Custody and Key Management Assessment

      Securing digital asset custody and key systems

      Risk Assessment

      Clarity on your cybersecurity risk posture

      Technical Due Diligence

      Validating security before third-party commitments

      Technical Training

      Building blockchain and security skills enterprise-wide

    • Assurance

      AI Red Teaming

      Adversarial testing against real-world AI threats

      AI Security Assessment

      Identifying vulnerabilities in AI models and pipelines

      Blockchain Layer 1 Assessment

      Protocol-level security review of L1 networks

      Code Security Audit

      Uncovering vulnerabilities in your source code

      Web Application Penetration Testing

      Exposing exploitable flaws in web applications

      Cloud Infrastructure Penetration Testing

      Finding weaknesses across cloud environments

      Red Team Exercise

      Full-scope adversarial simulation of your defenses

      Smart Contract Assessment

      Code security testing for blockchain-powered applications and systems.

    • Who We Are

      The best security engineers in the world

      Careers

      Work with the elite

      Who Trusts Us

      The trusted security advisor for blockchain and financial services industries

      Brand

      Access official logos, fonts, and guidelines

      Service Commitments

      Committed to Protecting Your Data

    • Audits

      In-depth evaluations of smart contracts and blockchain infrastructures

      BVSS

      Blockchain Vulnerability Scoring System

      Disclosures

      All the latest vulnerabilities discovered by Halborn

      Case Studies

      How Halborn’s solutions have empowered clients to overcome security issues

      Reports

      Comprehensive reports and data

  • Blog

  • Contact

Login

STAY CURRENT WITH HALBORN

Subscribe to the monthly Halborn Digest for our top blogs and videos, major company announcements, new whitepapers, webinar and event invites, and one exclusive interview.

ADVISORY SERVICES

AI AdvisoryRisk AssessmentBlockchain Architecture AssessmentCompliance ReadinessCustody and Key Management AssessmentTechnical Due DiligenceTechnical Training

ASSURANCE SERVICES

AI Security AssessmentAI Red TeamingSmart Contract AssessmentBlockchain Layer 1 AssessmentCode Security AuditWeb Application Penetration TestingCloud Infrastructure Penetration TestingRed Team Exercise

COMPANY

Who We AreWho Trusts UsService CommitmentsCareersBrandBlogContact

RESOURCES

AuditsDisclosuresReportsBVSSCase Studies
Halborn Logo
Privacy PolicyTerms of UseVulnerability Disclosure Policy

© Halborn 2026. All rights reserved.

AI Advisory

Strategic guidance for secure AI adoption

Blockchain Architecture Assessment

Reviewing blockchain designs for security and resilience

Compliance Readiness

Aligning controls to evolving regulatory mandates

Custody and Key Management Assessment

Securing digital asset custody and key systems

Risk Assessment

Clarity on your cybersecurity risk posture

Technical Due Diligence

Validating security before third-party commitments

Technical Training

Building blockchain and security skills enterprise-wide

AI Red Teaming

Adversarial testing against real-world AI threats

AI Security Assessment

Identifying vulnerabilities in AI models and pipelines

Blockchain Layer 1 Assessment

Protocol-level security review of L1 networks

Code Security Audit

Uncovering vulnerabilities in your source code

Web Application Penetration Testing

Exposing exploitable flaws in web applications

Cloud Infrastructure Penetration Testing

Finding weaknesses across cloud environments

Red Team Exercise

Full-scope adversarial simulation of your defenses

Smart Contract Assessment

Code security testing for blockchain-powered applications and systems.

Who We Are

The best security engineers in the world

Careers

Work with the elite

Who Trusts Us

The trusted security advisor for blockchain and financial services industries

Brand

Access official logos, fonts, and guidelines

Service Commitments

Committed to Protecting Your Data

Audits

In-depth evaluations of smart contracts and blockchain infrastructures

BVSS

Blockchain Vulnerability Scoring System

Disclosures

All the latest vulnerabilities discovered by Halborn

Case Studies

How Halborn’s solutions have empowered clients to overcome security issues

Reports

Comprehensive reports and data

THIS WEBSITE USES COOKIES

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you've provided to them or that they've collected from your use of their services. You consent to our cookies if you continue to use our website. Learn More.

blog

Explained: The Cashio Hack (March 2022)

Category: Explained: Hacks

Explained: The Cashio Hack (March 2022)

POSTED BY: Rob Behnke

03.28.2022

    In March 2022, the Solana-based Cashio stable coin CASH was the victim of a hack exploiting an “infinite mint” vulnerability.  The value of the CASH token plunged to $0.00005 after the attacker stole over $52 million in tokens from the protocol.

    Inside the Attack

    To mint new CASH tokens, a user needs to deposit collateral.  This collateral can be deposited into a collateral account owned by the protocol if the deposit passes a series of checks designed to validate that the deposited tokens match the type held within the protocol’s accounts.

    As part of the validation process for crate_collateral_tokens, the contract checked that the token type matched that of the saber_swap.arrow account.  However, there was no validation of the mint field within the saber_swap.arrow account.  The attacker could make a fake saber_swap.arrow account that would allow it to create a fake crate_collateral_tokens account that would allow the deposit of worthless collateral.

    The other piece of the attack was a missing check for depositor_source, which has the same requirement that the token type should match that of the collateral.  It is possible to set the collateral token type if a user owns a bank, which can be created with a call to crate_mint.

    With a fake bank, the attacker could deposit fake collateral that would pass all of the checks due to the issues in crate_collateral_tokens.  However, the code failed to verify that the token associated with the bank and the one being minted are the same.

    As a result, a bank with a worthless token could be used to mint real CASH tokens.  This allowed the attacker to drain value from the protocol by depositing worthless collateral and minting real CASH tokens.

    Lessons Learned From the Attack

    The Cashio hack was made possible by missing validation code.  While the smart contract included numerous checks designed to validate collateral deposits, two essential ones were missing, enabling a $52 million hack and the destruction of the stablecoin’s peg to the USD.

    These vulnerabilities may have been detected by a smart contract audit.  However, Cashio was an unaudited project, resulting in the vulnerability being discovered – and exploited – by an attacker.

    Related Blog Posts

    blog

    Explained: The BitKeep Hack (October 2022)

    10.21.2022

    blog

    Explained: The Tornado Cash Hack (May 2023)

    05.23.2023

    blog

    Halborn Discovers Zero-Day Impacting Dogecoin and 280+ Networks

    03.13.2023

    Disclaimer

    The information in this blog is for general educational and informational purposes only and does not constitute legal, financial, or professional advice. Halborn makes no representations as to the accuracy or completeness of the content, which may be updated or changed without notice.

    blog

    Explained: The BitKeep Hack (October 2022)

    10.21.2022

    blog

    Explained: The Tornado Cash Hack (May 2023)

    05.23.2023

    blog

    Halborn Discovers Zero-Day Impacting Dogecoin and 280+ Networks

    03.13.2023