The deployer of Kokomo Finance, a non-custodial lending protocol on Optimism and Arbitrum, which are popular layer-2 platforms on Ethereum, has rugged users of $4 million.
Kokomo Finance Exit Scams, Stealing $4 Million
CertiK, a blockchain security firm, tweeted on March 26 that Kokomo Finance exited the protocol and stole $4 million in user funds.
On 26 March 2023, Kokomo Finance conducted an exit scam and stole ~$4 million in user funds.
Details Below 👇 https://t.co/BEPwfahblz
— CertiK Alert (@CertiKAlert) March 26, 2023
In recent years, rug pulls have become a popular way for scammers to steal hard-earned user funds. Here, the deployer of the protocol programs the smart contract to illegally pull out liquidity from its pools, drastically impacting the token’s ability to be freely traded, essentially crashing its price.
Preceding this heist, the security firm first noted high slippages on the protocol’s native token, KOKO, whose value is now down by over 98%. Trackers show that the token is $0.00064850 as of March 27. At the same time, the team had deactivated all of their social media channels, effectively cutting out everyone.
In a series of moves, the deployer of KOKO, the team behind the protocol, first deployed the attack contract, reducing reward speed and pausing borrowing.
Afterward, the platform’s implementation contract was set into malicious code, which manipulated the main contract behind the wrapped Bitcoin token (cBTC).
This set in motion other events, which saw the deployer spend 7010 sonne WBTC, which were eventually converted to 141 WBTC worth roughly $4 million at spot rates. The amount was then withdrawn to an external address by the manipulator. WBTC is a wrapped version of BTC, a token that tracks the value of Bitcoin.
Auditor’s Report Showed No Smart Contract Flaw
CertiK has said this is the largest rug pull they had observed on Optimism. Together with Arbitrum, the two are the most popular layer-2 platforms on Ethereum, enabling the launching of dapps in a scalable, low-fee environment.
Although Kokomo Finance’s smart contracts had been audited by 0xguard, and a report was released on March 22, the auditor discovered no severe bug.
https://twitter.com/0x_az/status/1639841816676556800
Before the rug pull, Kokomo Finance enabled the trading of, among other tokens, wBTC, ETH, DAI, and USDT. Per screen grabs shared on March 26, Kokomo Finance had a total value locked (TVL) of $ $1,952,888, according to DeFiLlama data.
At this level, this TVL represented an over 20x rise from March 24, when it stood at just $67,000. Most of this was locked in Optimism with barely anything in Arbitrum. A dive into their assets under management reveals that wBTC constituted 72% of all the TVL while ETH made up 21%.