Security Postmortems
Real exploits. Real code. What went wrong and how we catch it.
How a Missing Account Check Cost Wormhole $326M
In February 2022, an attacker minted 120,000 wrapped ETH on Solana by spoofing the instruction sysvar account. One missing owner check. $326 million gone.
How Cashio Lost $48M to a Fake Account Chain: The Infinite Mint Dissected
In March 2022, an attacker minted 2 billion CASH tokens from thin air by feeding Cashio a chain of fake accounts. Every individual check passed. The root was never verified. Here is how it happened and how Anchor prevents it.
How Avraham Eisenberg Drained $115M from Mango Markets with a $10M Price Pump
The Mango Markets exploit was not a smart contract bug. It was a deliberate economic attack - one attacker, two wallets, $10M in capital, and a spot oracle with no circuit breakers. The result: $116M drained in under 40 minutes.
How Crema Finance Lost $8.9M to a Fake Tick Account
In July 2022, an attacker exploited Crema Finance's concentrated liquidity AMM on Solana by injecting fabricated tick accounts. The protocol accepted user-supplied account data without verifying ownership or derivation - draining $8.9M in LP fees.
How a Flash Loan Turned $10M Into a $3.5M Theft: The Nirvana Finance Exploit
On July 28, 2022, an attacker drained $3.5 million from Nirvana Finance using a single Solana transaction - borrowing $10M USDC, inflating the ANA token price 3x, and cashing out before anyone could react. Here is how it worked and what every DeFi protocol on Solana should learn from it.