rug pull

$4M ‘exit scam’ suspected as Kokomo Finance flies off radar, token plunges

Kokomo Finance’s social media presence and websites are offline, while the price of the KOKO token fell more than 95% within a matter of minutes.

Optimism-based lending protocol Kokomo Finance has been suspected of a $4 million “exit scam” that has seen user funds plucked from the platform via a smart contract loophole.

Blockchain security firm CertiK alerted its followers to the “exit scam” in a March 26 tweet, noting that the Kokomo Finance (KOKO) token had plummeted 95% in value in a matter of minutes.

CertiK also noted that Kokomo Finance removed all social media accounts immediately following the alleged rug pull too.

Kokomo Finance has either deactivated or deleted its Twitter account. Source: Twitter

CertiK said the deployer of KOKO attacked the smart contract code of a wrapped Bitcoin token, cBTC, by resetting the reward speed and pausing the borrow function.

After that, an address beginning with “0x5a2d..” approved the new cBTC smart contract to spend over 7000 Sonne Wrapped Bitcoin (So-WBTC).

The attacker then called another command to swap the So-WBTC to the 0x5a2d address, which produced a $4 million profit, according to the security firm.

Changes to the smart contract code of the KOKO began at about 9 am UTC on March 26. Source: Optimistic Etherscan

A CertiK spokesperson told Cointelegraph that it was the largest “incident” that the firm had detected on Optimism.

Kokomo Finance is an open-source and noncustodial lending protocol on Optimism, where investors could trade for wBTC, Ether (ETH), Tether (USDT), USD Coin (USDC) and Dai (DAI).

Kokomo Finance rose up the ranks quickly in recent days, with blockchain data platforms like CoinGecko and DefiLlama officially tracking it shortly after Kokomo Finance went live on Optimism on March 25.

The price of Kokomo Finance token, KOKO fell over 97% at about 4:10pm UTC time on March 26. Source: CoinGecko

Recent screenshots reveal that more than $2 million was locked into Kokomo Finance prior to it falling more than 97%.

Over 72% of the total value locked in the Kokomo Finance protocol came in the form of wrapped Bitcoin, according to data from DefiLlama.

Cointelegraph attempted to access all social media and blog websites listed on Kokomo Finance’s Linktree page, but all of these links now lead to error pages indicating they have been removed.

Related: 7 DeFi protocol hacks in Feb see $21 million in funds stolen: DefiLlama

Cointelegraph also came across Kokomo Finance’s smart contract audit, which was reviewed and shared by 0xGuard earlier in March.

While most aspects of the audit were passed, “typographical errors” were found, and the owner of the KOKO token was alsfound to have a one-time ability to mint 45% of the maximum supply to an arbitrary address.

Kokomo did not pass all aspects of its smart contract audit, which was reviewed by 0xGuard in March. Source: GitHub

Cointelegraph reached out to 0xGuard for comment but did not receive an immediate response.

Magazine: Should crypto projects ever negotiate with hackers? Probably

Friendsies NFT creators deny ‘abandoning’ project amid rug pull allegations

The Friendsies NFT collection responded to accusations it was behind a $5 million rug pull after announcing a “pause” of the project.

The team behind nonfungible token collection Friendsies has refuted claims they are “abandoning” the NFT project following a tsunami of “rug pull” accusations.

On Feb. 21, the founders behind the NFT project told their Twitter followers that they werputting a “pause” on Friendsies and “all future digital goods” for the time being, citing market challenges.

Around 40 minutes later, the Twitter account was deleted, while the account of Friendswithyou, who developed the project, was made private — sparking rumors that the founders had “rugged” for about $5 million.

The project’s Twitter account has since been reinstated with the founders vehemently denying they are “abandoning” the project. The founders’ account is still private, however.

“It is clear that we have upset many of you with the nature of our announcement, and perhaps we did not handle that in the best way possible,” they said, adding:

“To be very clear, we are not abandoning fRiENDSiES.”

The founders said the initial announcement was more about pausing social engagement “until further notice.”

“That was not intended to mean we are pausing building and seeking opportunities, those efforts remain on-going,” it added.

Friendsies is a collection of 10,000 Ethereum-based NFTs that launched last March. It purported to give each holder a custom-built “digital companion” thatcould be used in the metaverse, real-life experiences, art installations, and eventually a “Tomogatchi-like” play-to-earn game.

Friendsies NFT collection listing on OpenSea. Source: OpenSea

There are currently 3,323 owners of Friendsies NFTs. The collection has a floor price of 0.012 Ether (ETH) (approximately $20) and a trading volume of 3,775 ETH, according to data from OpenSea.

In the initial announcement, Friendsies said the “volatility and challenges of the market have made it very difficult to move this project forward in a way we can be proud of.”

In the follow-up Twitter thread some 17 hours after the pause announcement, the project’s founders admitted they were “overwhelmed” with hate and threats over the announcement:

“We were overwhelmed with hate and threats & both our Twitter and website were attacked […] We are sorry if we let you down today with our communication, but we are not going anywhere,” it wrote.

Related: NFTs will act as high-end property during boom cycles: Real Vision CEO

Mastercard’s former NFT product lead, Satvik Sethi, who resigned in spectacular fashion earlier this month, has even made an offer to take over the Friendsies NFT project.

“I’ll install a new team and take the project forward with a different vision,” he said.

“[Friendswithyou] if you care at all about your holders like you’ve always claimed, do the right thing. Don’t abandon people who put their trust in you despite all the noise. Hit me up, let’s discuss it.”

Defrost Finance breaks silence on ‘exit scam’ accusations, denies rug pull

Defrost Finance had not publicly commented on the rug-pull accusations in the media until now.

Defrost Finance, the decentralized trading platform that suffered a $12 million exploit in the days leading up to Christmas, has denied allegations that it had “rugged” its users as part of an elaborate “exit scam.”

On Dec. 23, the platform announced it suffered a flash loan attack, leading to the draining of user funds from its v2 protocol. One day later, another incident saw a hacker steal the admin key for a second “much larger” attack on the v1 protocol.

It’s understood the attacker or attackers conducted the flash loan attack by adding a fake collateral token and a malicious price oracle to liquidate users.

Observers, including blockchain security firms Peckshield and CertiK, as well as asset management platform DeFiYield, have suggested based on “community intel” that members of the team may have been behind the “exit scam” — given the fact that an admin key was required to perpetrate the exploit.

However, in an exclusive statement to Cointelegraph on Dec. 28, the team behind Defrost Finance broke its silence on the accusations, stating:

“We deny the accusations that the team rugged users. A compromised key does not equate to a rugpull, as much as the episode may raise doubts among the public.”

Defrost made two key arguments to deny its involvement.

Firstly, Defrost argued that if they had planned to orchestrate a rug pull, they would’ve done it months ago when its total value locked (TVL) neared $200 million.

According to DefiLlama, Defrost Finance’s TVL had fallen to just $13.14 million on Dec. 23, the day of the first attack.

“Anyone behind a rugpull would have probably defrauded investors when our TVL was 15 times what it is today.”

Secondly, Defrost argued that if they had been the perpetrators they would have “fled” long ago, which they haven’t done.

“[Anyone] anticipating the inevitable attention from the crypto community would have fled long ago. Yet here we are, working to get the funds back to their rightful owners,” it said.

Defrost Finance’s statement came just hours after decentralized finance investment platform DeFiYield in a Medium blog post on Dec. 27 again accused Defrost Finance of “rug pulling” its users.

DeFiYield pointed to on-chain data that it claimed suggested the creator of the multisig wallet was the same address that requested and then later approved the transactions that inserted the malicious source oracle that liquidated users.

It also alleged the developers behind Defrost Finance were the same as those of Phoenix Finance (FinNexus) which was exploited for $7.6 million in May 2021 in what some have also speculated was an “inside job.”

Related: Here’s how Defrost Finance plans to refund users following $12M hack

Defrost said it regrets being unable to share more details about the attack, as its priority has been helping users retrieve their funds.

“There are several issues that we would like to address in recent reports concerning Defrost Finance. We regret we cannot get deep enough into some details — but surely the community will understand this is a sensitive matter and our priority must be to help our users retrieve their funds. All other concerns are secondary to this,” it said.

The team is certainly unhappy about the allegations and earlier on Dec. 28 warned members of its Telegram group that it will ban members that attempt to perpetrate the “false narrative” that the Defrost team is responsible for the recent attacks.

“At this point, it’s not conducive to moving forward to continue allow [sic] the public chats to operate like the Wild Wild West. Will be implementing stricter protocols.”

A post on Defrost Finance’s Telegram group by a core team member. Source: Telegram

On Dec. 26, Defrost announced on Twitter it had managed to recover all the funds taken in the v1 hack, sharing in a post on Medium hours later that it has begun the process of returning funds to affected users.

The Ethereum wallet controlled by Defrost that is being used to facilitate the return of funds currently shows that $2.9 million of Ether (ETH) has been returned, along with $9.9 million worth of Dai (DAI).

“This will take a little time since we need to map who had what and where, but the wheels are turning fast and the entire process will be managed through smart contracts. It will be fully transparent and fairly swift,” Defrost told Cointelegraph in its recent statement.

No word was given about the v2 protocol as of yet, however.

350 new ‘scam tokens’ were created every day this year: Solidus Labs

Nearly 118,000 scam tokens were deployed from the start of January through the end of November, according to blockchain risk monitoring firm Solidus.

More than 350 fraudulent cryptocurrency tokens were created per day this year, defrauding millions of investors, according to blockchain risk monitoring firm Solidus Labs.

From the start of the year to Dec. 1, 117,629 “scam tokens” were deployed, according to Solidus’ 2022 “Rug Pull Report.” That’s a 41% increase from the nearly 83,400 scam tokens that Solidus detected in 2021.

The report claims that BNB Chain harbors the greatest number of scam tokens, with 12% of all BEP-20 tokens being fraudulent.

The Ethereum network was second, with a purported 8% of ERC-20 tokens alleged to be scams.

Solidus claims that 2022 is the biggest year on record for fraudulent crypto-tokens. Image: Solidus Labs

A rug pull is a type of crypto exit scam where an individual or team creates a token and pumps up its price before extracting all the value from the project, abandoning it as the token price plummets to zero.

Almost 2 million investors have lost money to these scams since September 2020, a greater numberthan the estimated 1.8 million combined creditors affected by the bankruptcies of crypto exchanges and lending platforms FTX, Celsius, and Voyager.

FTX, Celsius, BlockFi and Voyager bankruptcies are estimated to affect over 2.3 million users combined. Image: Solidus Labs

The most popular type of scam token was a “honeypot,” which is a token smart contract that doesn’t allow buyers to resell.

Solidus said the most prolific “honeypot” successfully executed in 2022 was the $3.3 million Squid Game (SQUID) token scam, which grew 45,000% in a few days as investors bought the hype but were unable to sell, ending with the anonymous founders apparently running off with investor funds.

Centralized exchanges (CEXs) are also affected by rug pulls as many behind these malicious tokens use them to fund their fraudulent project and cash out the ill-gotten gains.

Solidus claims around $11 billion worth of Ether (ETH) pilfered from scam tokens flowed through 153 CEXs since September 2020, with the majority of the exchanges being overseen by United States regulators.

Related: 5 key takeaways from Huobi 2022 crypto industry report

Nearly $4 billion dollars flowed to U.S. CEXs in the analyzed time frame which was nearly double that of the second-most exposed CEX jurisdiction: The Bahamas.

Mango Market exploiter brags after rug-pulling Mango Inu ‘shitcoin’

Avraham Eisenberg is at it again, following up his exploit of Mango Markets by deploying a new shitcoin named Mango Inu to purportedly swipe liquidity from bot traders.

In just over a week after pulling off the $117 million exploit of Mango Markets, Avraham Eisenberg is now boasting about making $100,000 rug-pulling a “shitcoin” called Mango Inu, again claiming he “did nothing wrong.”

Eisenberg recently ousted himself as one of the persons behind the recent $117 million exploit of the Solana-based decentralized finance (DeFi) platform Mango Markets, which he has also claimed was “legal.” 

 In an Oct. 23 post on Twitter, Eisenberg said the scheme involved deploying a “shitcoin” named Mango Inu, which he suggests was aimed at “exploiting bots” that gobble up newly launched tokens.

Eisenberg said the strategy involved deploying tokens, adding liquidity and then “rug” right after the bots buy the token. 

“Talked to someone who would deploy coins, add liquidity, and rug right after the bots bought, was a good low capacity strat last year when the bots bought anything that moved,” he said.

Much like the Mango Markets exploit, when people on Twitter questioned the morality and legality of the whole ordeal, Eisenberg argued that he hadn’t broken any laws, as there was no promotion of the token: 

“What part? Mango Inu is definitely not a security (no marketing, etc), no promises were made, just open market liquidity transactions.”

Eisenberg said the token managed to get over $250,000 “invested/gambled” within half an hour with “absolutely no promotion,” and that the fact that it occurred meant that “we’re still so far away from the bottom.”

He also explicitly warned not to buy the token, as “if you buy this you will definitely lose all your money.”

Pointless tokens continue to arise

The Mango Inu token is another example of a token that has gained questionable market takeup recently despite not having any utility — a symptom usually associated with bull markets.

Earlier this month, a memecoin named THE token was created in response to a satirical Oct. 14 Twitter post from Ethereum co-founder Vitalik Buterin, calling for the creation of an easily shillable project called The Protocol.

THE was subsequently launched on Ethereum and the BNB Smart Chain right after Buterin’s tweet, and pumped 77% by Oct. 20, though it has since dropped back down 60% to sit at $0.015 at the time of writing.

Related: 3Commas issues security alert as FTX deletes API keys following hack

The token, which was listed on exchanges such as Uniswap v3, MEXC Global and Bitget, appears to serve no other function than the actualization of a joke made by Vitalik to foster wild speculation.

Blockchain cybersecurity firm PeckShield has urged caution with this token.