The Hood of Cashio

Hacker promises to return
part of stolen funds

The plot keeps getting thicker when it comes to the Cashio app situation. Recently we reported on the 2nd largest hack and theft of assets on the Solana blockchain to date. This hack due to an infinite glitch saw the company lose $52 million on the dApp. During this time after a small announcement the team at Cashio and Saber both appeared to go dark, this left a bad taste in the mouth of many with a lot of users citing possiblity of inside work and other shady happenings.Saber at the time stated they could not help anyone with the situation despite heavilly promoting Cashio and the Saber VC distanced themselves as well,

1/❗️4 days since the @CashioApp $52m hack (2nd largest on @Solana):
-Cashio team disappears for days
–@Saber_HQ team provided sporadic updates, heavily promoted Cashio & say they cannot help depositors
-Saber VC @RaceCapital @multicoincap distanced themselves🧵👇 pic.twitter.com/ccFhAMKksg

— The Saint Eclectic (@sainteclectic) March 27, 2022

 

Saber had written a short post mortem on the situation but at the time of this article that post mortem has been deleted. It was all a big mess with some in the community trying to appeal to the better nature of the hackers, seems that was what paid off.

 

So…What happened again?

 

As stated earlier to get CASH users had to make deposits of USDT-USDC on Saber as Saber manages a cross-chain AMM for Solana- based stablecoins. The hacker exploited a point of the Cashio’s account validation system and since the security component was not fully defined the hackers were able to create as many accounts as they wanted and minted as many of the token as they wanted.

The team at Saber labs has promised to be more transparent with their code reviewing in the future and has taken steps to avoid this from happening again , further promising that any product on Saber will be reviewed to guarantee the safety of the funds on the ecosystem. This is all well and good but some see it as too little too late. They state this new measure will not apply to closed source protocols which are harder to hack anyway. In speaking of refunds Saber claimed to be unable to financially back a refund to the users.Instead the team made a plea to the hacker in an attempt to get the funds returned

If you are the hacker and are reading this , we hope you will consider returning the funds rather than donating them to charity: accounts with over $100K are often users’ life savings on leverage, and many of us will seriously be affected financially after this incident. we are willing to give $1M USDC as a bounty if the funds are returned.

 

Dark Robin Hood

 

The plea seems to have worked in a way. Instead of returning all $52 million the hacker has agreed to return the money to those accounts that lost under $100,000 but not to those that lost over that amount. A link was offered to where users could access an open-source platform to apply for the refund.

The hacker then left a message on the platform to tell the details of their actions.

 

The intention was only to take money from those who do not need it, not from those who do. Will be using the gains to return more funds to those affected even some accounts more than 100K. Will not return funds to accounts that already receive refund.

 

The @CashioApp hacker just announced that they will accept refund submissions

I've created an open-source website for victims of the https://t.co/BFJpzZJlGU hack to make generating and saving message signatures as easy as possible.

Site – https://t.co/NlxXO6atxB pic.twitter.com/NbkLeOvUYU

— wireless anon (@wireless_anon) March 28, 2022