Kokomo Finance is a non-custodial lending system built on Optimism and Arbitrum, two prominent layer-2 Ethereum platforms. The firm was reportedly accused of a $4 million exit fraud involving user funds taken from the platform using a smart contract loophole. CertiK, a blockchain security firm, tweeted on March 26 informing the public about it.
Smart contracts are programmed contracts that are stored on the blockchain. They render agreements between creator and recipient permanent and irrevocable by automating them. Their primary goal is to automate the implementation of an agreement without using middlemen, guaranteeing that all parties can instantaneously confirm the completion. They can also be designed to start a workflow depending on specified situations.
Rug pulls have become increasingly common for scammers to steal hard-earned user funds in recent years. In this case, the protocol deployer programmes the smart contract to illegally withdraw liquidity from its pools, severely limiting the token’s ability to be freely traded and essentially crashing its price.
Prior to this illegal activity, the security company saw substantial slippages on the protocol’s native token, KOKO, whose value has since dropped more than 98%, according to trackers, and is currently worth $0.00066244 at the time of writing.
According to CertiK, the KOKO deployer attacked the smart contract code of a wrapped Bitcoin currency, cBTC, by resetting the reward speed and halting the borrow function. The new cBTC smart contract was then authorised by an address beginning with “0x5a2d..” to spend over 7000 Sonne Wrapped Bitcoin. (So-WBTC). According to the security firm, the attacker then executed an additional command to swap the So-WBTC to the 0x5a2d address, resulting in a $4 million profit.
Recent screenshots show that more than $2 million was invested in Kokomo Finance prior to its 97% drop. The KOKO deployer, the team behind the protocol, initially deployed the attack contract, limiting reward speed and suspending borrowing in a sequence of movements.
The platform’s implementation contract was then included with malicious code, which modified the preliminary agreement underlying the wrapped Bitcoin token. (cBTC).
This triggered a chain of events that resulted in the deployer spending 7010 sonne WBTC, which were finally converted to 141 WBTC worth about $4 million at spot rates. The attacker then withdrew the funds to an external location. WBTC is a repackaged version of BTC, a currency that tracks Bitcoin’s value.
Despite the fact that 0xguard reviewed Kokomo Finance’s smart contracts and issued a report on March 22, the auditor found no serious flaws. While the audit passed in most areas, “typographical errors” were discovered, and the owner of the KOKO token was discovered to have a one-time ability to mint 45% of the maximum supply to an arbitrary address.