Cascade XYZ CLS Vault Exploited for $1.34M on Arbitrum

DeFi perpetuals platform Cascade XYZ confirmed on Wednesday that its Cascade Liquidity Strategy (CLS) vault was exploited for approximately $1.34 million in USDC. The incident affected funds on the Arbitrum network, where the protocol had been building liquidity through a series of “First Wave” pre-allocation campaigns.
Yesterday afternoon, Cascade detected a security exploit affecting our CLS vault, resulting in the loss of $1.3M in user funds. All trading and withdrawals were paused accordingly.
This is what we know:
1. On thin liquidity markets, most of the orderbook orders were created by…
— Cascade (@cascade_xyz) July 16, 2026
According to an official statement from Cascade, the attack involved mark price manipulation and targeted liquidations within markets characterized by thin liquidity. This mechanism allowed the exploiter to drain assets from the CLS vault, which serves as the protocol’s native strategy for underwriting orderbook depth and liquidation flows.
Locked Funds and Response Efforts
The exploit is particularly significant for early participants, as the funds in the CLS vault represented pre-allocated deposits that were locked until the protocol’s public trading launch. Users had deposited USDC into the vault to earn reward points, with the protocol most recently opening a $5 million pre-allocation window on January 21.
Cascade indicated that it is currently working with the SEAL 911 emergency response team and law enforcement as part of an ongoing investigation. The protocol has also identified specific attacker emails and transaction data associated with the breach.
On-Chain Movement of Funds
Tracking data from security firm PeckShield and independent on-chain researchers shows a sophisticated laundering path designed to bypass centralized stablecoin restrictions. After consolidating 1.34 million USDC on Arbitrum, the attacker moved the funds across multiple chains, including Solana, before bridging them to Ethereum via the Relay Protocol.
Once on Ethereum, the stolen assets were converted into DAI. This maneuver effectively moved the capital into a decentralized stablecoin, preventing the possibility of a funds freeze by the USDC issuer, Circle. On-chain observers also noted that the attacker’s wallet received gas funding from an address linked to Polymarket shortly after the funds arrived on certain networks.
At the time of reporting, the protocol has not provided a timeline for fund recovery or a detailed post-mortem regarding potential reimbursements for affected depositors. The available official information remains focused on the initial investigation and the identification of the attack vector.






