Kokomo Finance - Hack Analysis (March 27, 2023)

Table Of Content



Kokomo Finance, a lending protocol that had recently launched on Optimism, rug pulls users and disappears with approximately $4 million worth of tokens. The project’s token, KOKO, had only been launched less than 36 hours before the rug. The rug occurred through changes made by the project’s deployer address, which rugged Wrapped Bitcoin deposits. The project’s website, Twitter, GitHub, and Medium, were deleted soon after.

Hack Impact

Kokomo Finance has taken off with approximately $4 million worth of user funds, leaving users unable to withdraw their funds. Wrapped Bitcoin deposits were rugged, with almost $2M of tokens still remaining in the project’s pools on Optimism.


The deployer of KOKO Token, identified as address 0x41BE, created a malicious contract called cBTC, modified the reward speed, paused the borrow function, and replaced the implementation contract using the function mentioned below with the malicious one. Another address, 0x5a2d, approved the cBTC contract to spend 7010 sonne WBTC. After the implementation contract was switched to the malicious cBTC contract, the attacker used the 0x804edaad method to transfer sonne WBTC to address 0x5C8d. Finally, the address 0x5C8d swapped 7010 sonne WBTC for 141 WBTC (~4M) in profit.


kokomo finance

Steps to reproduce

  • The attacker deployed a contract called cBTC, then changed its implementation to a malicious contract. The attacker then called the 0x804edaad method to transfer tokens to a different address and ultimately swapped those tokens for profit.

Transaction Analysis

The stolen funds are currently held in four addresses:

Rugpull Indicators

Here are some indicators to look for in a smart contract that may indicate it could be a rugpull:

  • Anonymous or unknown team: A team that is anonymous or unknown should be a red flag as they may not have any reputation to uphold and can disappear easily.
  • Unaudited code: A smart contract that has not been audited or reviewed by reputable third-party auditors increases the risk of vulnerabilities and potential exploits.
  • Centralized control: A smart contract that gives excessive control to the owner or a small group of individuals can lead to potential misuse of funds or a rugpull.
  • Lack of transparency: A rugpull often involves a lack of transparency or information on the project, such as unclear tokenomics or a lack of information on the team or project roadmap.
  • Unrealistic promises: Projects that make unrealistic promises of high returns or quick profits without a clear explanation of how these returns will be generated should be approached with caution.
  • Lack of liquidity: If a project has low liquidity or a small number of holders, it may be easier for a rugpull to occur as there may not be enough holders to prevent a large-scale dump.
  • Sudden changes or delays: A sudden change in the project roadmap or significant delays in project milestones without proper communication to investors can be a warning sign of a potential rugpull.


Kokomo Finance’s rugpull serves as a warning to the importance of conducting thorough security audits and implementing proper security measures in decentralized finance. As the rug occurred through changes made by the project’s deployer address, it is important to ensure that all aspects of a protocol are audited and secured.

Also read Hack Analysis on Euler Finance

More Audits

LightLink Token Transfer Bridge Architecture Threat Modeling

This comprehensive threat analysis report provides an in-depth review of potential security vulnerabilities within the LightLink Token Transfer Bridge Architecture. Through rigorous application of both the STRIDE and ABC threat modeling frameworks, the report identifies key system weaknesses and offers strategic mitigation recommendations.

Jimbo's Protocol - Monday, May 28, 2023

Jimbo's Protocol is a decentralized finance (DeFi) system built on the Arbitrum chain. The protocol uses a semi-stable floor price for its ERC-20 token, $JIMBO, backed by a treasury of Ether (ETH). However, despite its pioneering efforts to maintain on-chain liquidity and price floors, Jimbo's Protocol recently faced a Flash loan attack.

Flower Fam NFT Audit Report

Flower Fam is an NFT-based project, after you mint your NFT you can “harvest” them on weekly bases to get 60% royalties. It's quite simple: every flower has a 10% chance to win. The rarer the species of a flower.

Script TV - Audit Report

Script TV is a decentralized video delivery network that furnishes an expansive range of blockchain-enabled solutions to the problems related to the traditional video-streaming sector.

Vaccify - Building a Resilient Digital Trust Ecosystem

Vaccify is an open-source COVID-19 Initiative of TrustNet. The idea behind it is to issue digital certificates to people who are vaccinated (once the vaccine is available) for COVID-19. It is a Blockchain-based digital identity eco-system for all hospitals, healthcare centers, laboratories, and testing facilities across Pakistan.

GameFi: Future of Gaming or Short-lived Gimmick?

On the surface, the GameFi industry sounds revolutionary. However, digging a little deeper reveals several questions about its legitimacy. What are the risks associated with its play-to-earn model? Are all games which claim to be a part of GameFi credible? And, at the end of the day, is this a viable direction for gaming, or nothing more than a short-lived gimmick?

Unipilot Staking Audit Report

Unipilot Staking is a Staking infrastructure built on Ethereum, a reliable and scalable L1 solution. The staking solution offered by Unipilot provides the stakers a way to get incentives.

Achieving Security In Blockchain Part One: Outlining The Problem

A major pillar of blockchain technology is transparency. This means that any system built on blockchain is by definition public- a fact that introduces an entirely new set of vulnerabilities and threats. As a result, cleverly orchestrated hacks on blockchain solutions are not an uncommon feat. Even the biggest names in the field continue to suffer from attacks, resulting in losses equating to millions of dollars. 

Lightlink Bridge: BlockApex WhiteBox Code Review Report

the source code review of Lightlink Bridge Validator and Keeper. The purpose of the assessment was to perform the whitebox testing of the Bridge’s validator and Keeper before going into production and identify potential threats and vulnerabilities.

1 2 3 11
Designed & Developed by: 
All rights reserved. Copyright 2023