Kokomo Finance developers pull off $4M exit scam days after launch: report

Getting your Trinity Audio player ready...

The team behind Kokomo Finance, a lending protocol built on Ethereum Layer 2 network Optimism, has allegedly pulled off a $4 million exit scam.

New York Web3 security company CertiK first discovered the exploit. In addition to the smart contract exploit, the Kokomo developers also took down the project’s social media accounts, CertiK revealed.

#CertiKSkynetAlert 🚨

We are seeing a price #slippage on project Kokomo Finance (KOKO)

Contract eth:0x7Da25Bc4cFAed3F29414C6779676e53B19a356f5

which has dropped more than 95%.

The project has removed all of their social media accounts.

Stay vigilant! pic.twitter.com/eG84xQVJ4N

— CertiK Alert (@CertiKAlert) March 26, 2023

CertiK first discovered high slippages on KOKO, the lending platform’s native token. KOKO has since plunged to $0.00066244 at press time, a 98.6% dip.

In its analysis of the attack, the cybersecurity company said the developers had deployed the attack contract cBTC, paused borrowing, and reduced reward speed. They then set the implementation contract into a malicious one.

cBTC is a derivative of Wrapped BTC (wBTC) issued on the Ethereum network.

The developers reportedly used one of their addresses to approve a transfer of over 7,000 Sonne Wrapped BTC, yet another BTC derivative issued on Ethereum. They then used these tokens to swap all the liquidity that users had supplied to Kokomo, walking away with about $4 million in user funds.

After the alleged heist, the developers took down the social media accounts and the Kokomo website, vanishing in Asian morning hours on Monday.

Kokomo launched on March 25, offering users a non-custodial protocol to borrow, lend, and trade wrapped BTC, USDT, Ether, USDC, and the DAI stablecoin. Its popularity quickly surged, with DeFiLlama showing that two days after launch, it accumulated $2 million in total value locked (TVL).

Kokomo was audited just days prior by 0xGuard, a smart contract auditing firm that has audited over 100 other projects.

New audit report by #0xGuard is available.

🟠Prepared for: @KokomoFinance
🟠View the report here: https://t.co/6XbwTrOFdG#audit #smartcontracts #security #blockchain #crypto pic.twitter.com/D6SM2KSzWf

— 0xGuard (@0xGuard) March 22, 2023

In its report, 0xGuard found no issues with most of the protocol except for one major loophole:

“The owner has a one-time ability to mint 45% of MAX_SUPPLY, i.e. 45e24 tokens, to an arbitrary address.”

Earlier this month, DeFi platform Euler Finance lost $197 million to a flash loan attack.

Watch: Tokenizing Assets & Securities on Blockchain