The main contract is called Chainpals Token. The minting and transfer of the complete supply is done during deployment. This means new tokens can only be minted if the old ones are burnt.
Kokomo Finance, a lending protocol that had recently launched on Optimism, rug pulls users and disappears with approximately $4 million worth of tokens. The project’s token, KOKO, had only been launched less than 36 hours before the rug. The rug occurred through changes made by the project’s deployer address, which rugged Wrapped Bitcoin deposits. The project’s website, Twitter, GitHub, and Medium, were deleted soon after.
Kokomo Finance has taken off with approximately $4 million worth of user funds, leaving users unable to withdraw their funds. Wrapped Bitcoin deposits were rugged, with almost $2M of tokens still remaining in the project’s pools on Optimism.
The deployer of KOKO Token, identified as address 0x41BE, created a malicious contract called cBTC, modified the reward speed, paused the borrow function, and replaced the implementation contract using the function mentioned below with the malicious one. Another address, 0x5a2d, approved the cBTC contract to spend 7010 sonne WBTC. After the implementation contract was switched to the malicious cBTC contract, the attacker used the 0x804edaad method to transfer sonne WBTC to address 0x5C8d. Finally, the address 0x5C8d swapped 7010 sonne WBTC for 141 WBTC (~4M) in profit.
The stolen funds are currently held in four addresses:
Here are some indicators to look for in a smart contract that may indicate it could be a rugpull:
Kokomo Finance’s rugpull serves as a warning to the importance of conducting thorough security audits and implementing proper security measures in decentralized finance. As the rug occurred through changes made by the project’s deployer address, it is important to ensure that all aspects of a protocol are audited and secured.
Also read Hack Analysis on Euler Finance
The main contract is called Chainpals Token. The minting and transfer of the complete supply is done during deployment. This means new tokens can only be minted if the old ones are burnt.
The Level Finance hack significantly affected the platform and its users, as the attacker managed to steal $1.1 million in referral rewards. This breach undermined trust in Level Finance and raised concerns about the security of similar DeFi platforms.
Unipilot is an automated liquidity manager designed to maximize ”in-range” intervals for capital through an optimized rebalancing mechanism of liquidity pools. Unipilot V2 also detects the volatile behavior of the pools and pulls liquidity until the pool gets stable to save the pool from impairment loss.
The Yearn Finance hack that occurred on April 13, 2023, resulted in the loss of approximately $11.4 million. The exploit was carried out through a misconfiguration in the yUSDT vault, revealing a flaw in the system's architecture.
Phase Protocol is a NFT Marketplace infrastructure built on Solana Protocol, a reliable and scalable L1 solution. The on-chain Fundraising solution offered by DedMonke provides a crowdfunding experience to DeFi users.
BlockApex (Auditor) was contracted by PhoenixDAO (Client) for the purpose of conducting a Smart Contract Audit/Code Review. This document presents the findings of our analysis which took place on 28th October 2021.
The presale is supposed to go forward in three stages, each with fixed purchasable amounts and at a fixed cost. The cost starts off at 0.25 USD in the first phase, moves to 0.35 USD in the second phase and then to 0.45 in the last phase.
BlockApex (Auditor) was contracted by VoirStudio (Client) for the purpose of conducting a Smart Contract Audit/ Code Review of Unipilot Farming V2. This document presents the findings of our analysis which started from 25th Feb 2022.
On February 17, 2023, Platypus Finance was hacked, resulting in a loss of approximately $8.5 million worth of assets. In this hack analysis, we will delve into the details of the attack, the vulnerability that was exploited, and the impact it had on the platform and its users.