Optimism-based lending protocol Kokomo Finance has been suspected of a $4 million “exit scam” that saw user funds withdrawn from the platform through a smart contract loophole.
Blockchain security company CertiK warned its followers about an “exit scam” on Twitter March 26 postnoted that the Kokomo Finance token (KOKO) has collapsed by 95% in a few minutes.
CertiK also noted that Kokomo Finance deleted all its social media accounts quickly after it was also pulled under the rug.
CertiK said the deployer of KOKO attacked the smart contract code of the wrapped Bitcoin token, cBTC, by resetting the reward speed and pausing the borrowing function.
After that, the address starting with “0x5a2d..” was approved by a new cBTC smart contract to spend over 7000 Sonne Wrapped Bitcoin (So-WBTC).
On March 26, 2023, Kokomo Finance committed an exit fraud and stole $4 million in user funds.
Details Below https://t.co/BEPwfahblz
— CertiK Alert (@CertiKAlert) March 26, 2023
The attacker then called another command to change So-WBTC to the address 0x5a2d, which generated a profit of $4 million, according to the security company.
A CertiK spokesperson told Cointelegraph that this is the largest “incident” detected on Optimism.
Kokomo Finance is an open source and non-custodial lending protocol on Optimism, where investors can trade for wBTC, Ether (ETH), Tether (USDT), USD Coin (USDC) and DAI.
Kokomo Finance is rising rapidly in recent times, with blockchain data platforms like CoinGecko and defilama official tracking shortly after Kokomo Finance went alive in Optimism on March 25.
Recent images show that more than $2 million was locked up in Kokomo Finance before it dropped more than 97%.
@KokomoFinance is an open source and non-custodial credit protocol built on Optimism and @arbitrum .
– Open in @DefiLlama
– Audited by @0xGuard $ SIZE TVL: 2M, continues to increase, money will flow to this lending platform when it is distributed in @Decision. pic.twitter.com/RduuHBWX39— Az.eth (@0x_az) March 26, 2023
Over 72% of the total value locked in the Kokomo Finance protocol comes in the form of encapsulated Bitcoin, according to data from DefiLlama.
Cointelegraph attempted to access all the social media websites and blogs listed on the Linktree Kokomo Finance page, but all of these links now lead to several error pages, indicating that the page has been deleted.
related: 7 DeFi protocol hacks in Feb saw $21 million in funds stolen: DefiLlama
Cointelegraph came to Kokomo Finance’s smart contract audit, which was reviewed and shared by 0xGuard earlier in March.
When most aspects of the audit have been passed, a “typographical error” was found and the owner of the KOKO token was found to have a one-time ability to 45% of the maximum resource for any address.
Cointelegraph reached out to 0xGuard for comment but did not receive an immediate response.
Magazine: Should crypto projects negotiate with hackers? Probably