# Cashio Refund Walkthrough This app came onto my radar via this tweet: https://twitter.com/wireless_anon/status/1508455315746041864?s=20&t=lYvTX7KMi1drV-Xesj9h_A I'm not familiar with the author of this tweet. I'm reviewing the app because of this tweet: https://twitter.com/sainteclectic/status/1508465585608437761?s=20&t=lYvTX7KMi1drV-Xesj9h_A **This is an informal review with no warranties expressed or implied.** The source code I'm reviewing was found here: https://github.com/wireless-anon/cashio-refund * The app contains two pages * On page one, it presents author attribution and relays a message from the party that exploited cashio. * On page two, it presents instructions and a form for writing, signing and downloading a message using your phantom wallet. * The general process of writing then signing a message is sound (safe). * Consider transferring all assets out of the wallet you're using for this exercise. Signing a message doesn't require gas fees, so you don't even need SOL to complete this exercise. **You should not be prompted to spend any assets** -- if you are, something has gone wrong. You should see exactly two interactions with Phantom. 1. Allowing the website to connect. 2. A signature request.   After pressing "sign message" you should see a download window.  Code review notes: - I reviewed the first seven commits in this repo; the last was: 05a56f2785fc585e02d47cc850b56a3070a680d6 - I found it interesting, but not problematic, to see that the first commit was [Verified] but the remainder were not. - I confirmed the package.json dependencies are what you'd expect them to be. - I confirmed the GitHub commits were interacting with the vercel bot to deploy them at the published url. - I confirmed the "Sign" function was only making signature requests. - I created a virtual machine, installed Chrome, installed a clean copy of Phantom and used it to sign messages. - There was no unexpected code or behavior.