Optimism-based lending protocol Kokomo Finance appears to have executed an exit scam, stealing roughly $4 million of users’ funds through a smart contract loophole.
Blockchain security firm CertiK flagged the incident on March 26, alerting Crypto Twitter of a price slippage on the project and the disappearance of its social media accounts. Kokoma’s website has also gone offline, with an error page popping up whenever users try to access it.
Kokomo Finance Rug Pulls Users for $4M
CertiK disclosed that the deployer of the KOKO token, address 0x41BE, executed an attack on the smart contract of a wrapped Bitcoin token (cBTC). The attacker then reset the reward speed, halted the borrow function, and turned the implementation contract into a malicious one.
Another address, 0x5a2d, approved the malicious cBTC smart contract to spend the 7010 sonne wrapped BTC (WBTC).
Since the implementation contract was already set to the malicious cBTC contract, the attacker called a command to transfer the sonne WBTC to the address 0x5C8d.
The final transaction saw address 0x5C8d swap the 7010 sonne WBTC to 141 wBTC, gaining approximately $4 million in profit.
KOKO Dumps Over 95%
Following the rug pull, KOKO, Kokoma’s native token, plunged by more than 95% from $0.020 to $0.00065.
Kokoma Finance recently went live on Optimism and Arbitrum as an open-source and non-custodial lending protocol for users to trade wBTC, Ether (ETH), Tether (USDT), USD Coin (USDC), and DAI.
Barely 24 hours after its launch, the platform had $2 million in total value locked (TVL), mostly in wBTC, according to data from DefiLlama. The exit scam dropped the platform’s TVL to just over $64,000.
Meanwhile, Kokoma Finance is not the only DeFi protocol to rug pull users in recent times. Earlier this month, the developers of Arbitrum-based decentralized exchange ArbiSwap suddenly removed over $130,000 from the project’s liquidity pool, leaving users scratching their heads and counting losses.