# Cashio Refund Walkthrough
This app came onto my radar via this tweet:
https://twitter.com/wireless_anon/status/1508455315746041864?s=20&t=lYvTX7KMi1drV-Xesj9h_A
I'm not familiar with the author of this tweet.
I'm reviewing the app because of this tweet:
https://twitter.com/sainteclectic/status/1508465585608437761?s=20&t=lYvTX7KMi1drV-Xesj9h_A
**This is an informal review with no warranties expressed or implied.**
The source code I'm reviewing was found here:
https://github.com/wireless-anon/cashio-refund
* The app contains two pages
* On page one, it presents author attribution and relays a message from the party that exploited cashio.
* On page two, it presents instructions and a form for writing, signing and downloading a message using your phantom wallet.
* The general process of writing then signing a message is sound (safe).
* Consider transferring all assets out of the wallet you're using for this exercise. Signing a message doesn't require gas fees, so you don't even need SOL to complete this exercise.
**You should not be prompted to spend any assets** -- if you are, something has gone wrong.
You should see exactly two interactions with Phantom.
1. Allowing the website to connect.
2. A signature request.


After pressing "sign message" you should see a download window.

Code review notes:
- I reviewed the first seven commits in this repo; the last was: 05a56f2785fc585e02d47cc850b56a3070a680d6
- I found it interesting, but not problematic, to see that the first commit was [Verified] but the remainder were not.
- I confirmed the package.json dependencies are what you'd expect them to be.
- I confirmed the GitHub commits were interacting with the vercel bot to deploy them at the published url.
- I confirmed the "Sign" function was only making signature requests.
- I created a virtual machine, installed Chrome, installed a clean copy of Phantom and used it to sign messages.
- There was no unexpected code or behavior.