Kokomo Finance, an open-source and noncustodial lending protocol on Optimism, has been accused of an exit scam worth $4 million. The protocol allegedly plucked user funds via a smart contract loophole, causing the Kokomo Finance token to plummet 95% in value in a matter of minutes. Blockchain security firm CertiK alerted its followers to the situation in a tweet on March 26.
According to CertiK, the deployer of the KOKO token attacked the smart contract code of a wrapped Bitcoin token, cBTC, by resetting the reward speed and pausing the borrow function. An address beginning with “0x5a2d..” then approved the new cBTC smart contract to spend over 7000 Sonne Wrapped Bitcoin (So-WBTC). The attacker then called another command to swap the So-WBTC to the 0x5a2d address, which produced a $4 million profit, according to the security firm.
CertiK also noted that Kokomo Finance removed all social media accounts immediately following the alleged rug pull. The protocol rose up the ranks quickly in recent days, with blockchain data platforms like CoinGecko and DefiLlama officially tracking it shortly after Kokomo Finance went live on Optimism on March 25. Recent screenshots reveal that more than $2 million was locked into Kokomo Finance prior to it falling more than 97%.
Over 72% of the total value locked in the Kokomo Finance protocol came in the form of wrapped Bitcoin, according to data from DefiLlama. While most aspects of the audit were passed, “typographical errors” were found, and the owner of the KOKO token was also found to have a one-time ability to mint 45% of the maximum supply to an arbitrary address.
Kokomo Finance is a lending protocol that enables users to trade for wBTC, Ether (ETH), Tether (USDT), USD Coin (USDC), and Dai (DAI). It operates on the Optimism layer 2 scaling solution, which allows for faster and cheaper transactions on the Ethereum network.
The exit scam allegations against Kokomo Finance have raised concerns about the security of decentralized finance (DeFi) protocols. While DeFi has enabled greater financial freedom and accessibility for users, it has also brought with it new risks and challenges. Smart contract vulnerabilities and security loopholes can be exploited by bad actors, as in the case of Kokomo Finance.
Despite this incident, the DeFi space continues to grow and evolve, with new protocols and platforms emerging all the time. As the industry matures, it is likely that greater attention will be paid to security and risk management, in order to protect users and prevent similar incidents from occurring in the future.