Blockchain security firm CertiK raised an alarm on March 26 regarding the suspected $4 million “exit scam” of Optimism-based lending protocol Kokomo Finance. In less than a minute, the value of the KOKO token had plummeted by 95%, and all social media accounts associated with Kokomo Finance had been removed. However, the scam appeared to have exploited a loophole in the platform’s smart contracts. It remains unclear how many users were affected by the fraudulent action.
CertiK recently reported that the deployer of KOKO had attacked the smart contract code of a wrapped Bitcoin token, cBTC, by resetting its reward speed and pausing its borrow function. Subsequently, an address beginning with “0x5a2d..” approved a new cBTC smart contract to spend over 7000 Sonne Wrapped Bitcoin (So-WBTC).
Furthermore, the security firm reported that the attacker executed a command which swapped So-WBTC to an address with the 0x5a2d code, resulting in a profit of $4 million.
A CertiK spokesperson reported that the incident detected on Optimism was the largest yet for the firm. Kokomo Finance is an open-source and noncustodial lending protocol that operates on Optimism, where investors can trade wBTC, ETH, USDT, USDC, and DAI. After its launch on March 25, Kokomo Finance gained popularity rapidly among platforms such as CoinGecko and DefiLlama, which officially track the protocol.
Before its recent 97% crash, data from DefiLlama revealed that over $2 million had been locked into Kokomo Finance. Of the total value locked in the protocol, 72% was in the form of wrapped Bitcoin. Attempts to access social media and blog websites on Kokomo Finance’s Linktree page led to error pages, indicating they had been removed.
0xGuard conducted a smart contract audit of Kokomo Finance earlier in March; most elements of the audit were passed, however typographical errors and the ability of the owner of KOKO to mint 45% of the maximum supply to an arbitrary address were identified.
