The team behind Optimism-based lending protocol Kokomo Finance appear to have executed a rug pull over the weekend, stealing around $4 million in funds, security firm CertiK said via Twitter on 27 March.
Launched on 25 March, Kokomo Finance was an open-source, non-custodial lending protocol on Optimism that allowed users to borrow, lend, and trade several major cryptocurrencies, including wrapped Bitcoin (wBTC), Ether (ETH), Tether (USDT), USD Coin (USDC), and Dai. The project quickly rose in popularity among Optimism users — and was even tracked by platforms like CoinGecko and DefiLlama — but on 26 March all of Kokomo Finance’s online presence was removed.
According to blockchain security firm CertiK, Kokomo’s developers deployed an attack contract cBTC from the main address of the KOKO native token on Sunday, and then resetted the reward speed and paused the borrow function. The cBTC contract was then given approval to spend 7010 Sonne wrapped Bitcoin (So-wBTC), which were transferred to address 0x5C8d and then swapped for 141 wBTC producing a $4 million profit.
Shortly after Kokomo’s social media accounts and website were deleted, the value of the KOKO token fell by more than 98%, wiping nearly all value for its holders.