Introduction

On 26 March, 2023 Kokomo Finance (KOKO) on the Optimism Smart Chain was drained of user assets. After an initial investigation, CertiK discovered that Kokomo Finance conducted an exit scam leading to the loss of $4.5 million in user funds. In addition to stealing $4.5 million, the project has shut down all of its social media accounts.

Event Summary

On 26 March 2023, Kokomo Finance conducted an exit scam from their KOKO token deployed on Optimism. According to the project’s Twitter, Kokomo Finance is an open-source and non-custodial lending protocol. Sometime during the incident Kokomo Finance had removed all of their social media accounts including their website. The exit scam led to the loss of approximately $4.5 million in user funds and more than a 95% drop in the token's price. Of the $4.5 million that was phished from users, an additional $109,272 was removed from the liquidity pool by 0xe06b2.

Image: KokomoFinance Twitter account removed. Source: Twitter

The attack flow seen in this incident was similar to a previous exploit CertiK identified, Harvest Keeper, where scammers not only removed users funds from the projects contract, but also stole users funds through ice phishing. In the Kokomo Finance exploit, a technique called ice phishing was used to deceive users into sending their funds to the exploiter, in this case cBTC contract 0x1e02E. Ice phishing is a type of attack that is exclusive to the Web3 world whereby a user is tricked into signing permissions with their wallet allowing for a malicious actor to spend a user's tokens. This differs from traditional phishing attacks which aim to access confidential information such as private keys or passwords via social engineering.

The incident further developed when the deployer of Kokomo Finance’s KOKO Token, address 0x41BE3, deployed attack contract 0x1e02E (cBTC), which then used _setRewardSpeed function to change the reward speed, and suspended borrowing and set the implementation contract into a malicious contract (0x05b29). For example below,

The difference between malicious contracts and normal contracts is an issue of intent. All code can be exploited if not written or managed properly, or it can be designed to cause harm. There are many elements of a contract that could give deploying wallets the authorities to change the contract or steal funds through various methods. Or, as seen in this incident, a contract could be purposefully designed to allow deployer wallets to use these functions unchecked. Malicious contracts are those specifically designed to exploit contract users for monetary gain, while normal contracts are those that protect against these types of abuses or choose not to use them.

Address 0x5a2d0, the victim in the ice phishing attack, approved the cBTC contract to spend the 7010 Sonne Wrapped Bitcoin (soWBTC).

A Sonne Finance admin announced via discord that Kokomo Finance was offering yields for the receipt tokens (soTokens) from Sonne Finance. They stated Kokomo Finance had obtained approval to spend unlimited soBTC tokens from users who granted them permission. They further added that users should revoke their approvals and noted that Sonne Finance funds were secure, and only users who approved Kokomo Finance's contracts have been affected.

After the implementation contract was upgraded to the malicious cBTC contract, the attacker called 0x804edaad() method to transfer soWBTC to address 0x5C8db, the attacker's address. Finally, the address 0x5C8db swapped 7010 soWBTC to 141 WBTC for profit. On Sonne Finance’s Discord, user James8964#1009 claimed to be a victim who had funds stolen during the attack reinforcing the activity that was observed on chain.

Asset Tracing

Initially, the funds were distributed across four different wallet on three different blockchains:

• Optimism:

  • cBTC contract: 0x1e02E6A5b549eeAd726ebCce64a54215196760E2
    • Contains $1,422,041.19 (approximately 802.2075 ETH) which has since been distributed to multiple EOAs.

• Arbiscan:

  • 0x88340ff2292506d0d93934cbbfea5ed1804cda0d
    • Contains $562,181.97 (approximately 317.0527 ETH)

• bscscan:

  • 0x8c0ecd7bacced114729f8269b459e0a4d5e95c3b

    • Contains $1,398,176.09 (approximately 4,255.8785 BNB)

  • 0xb74c5e41e748babc32ce33813549e2503cdab762

  • Contains $1,118,094.10 (approximately 3,403.3428 BNB)

Conclusion

Kokomo Finance was the fifth largest exit scam this year and is the largest incident on Optimism in 2023. During 2022, we recorded approximately $27.9 million lost on Optimism. So far this year, we have recorded four incidents on Optimism totaling $10.2 million. Across all platforms we have recorded a total of $123.2 million lost due to exit scams this year.

This attack occurred due to centralization-related risks because of the upgradability of the contract and the initial token distribution. Centralization risks are vulnerabilities that can be exploited both by malicious developers of a project as well as malicious outside attackers and are a single point of failure within a DeFi protocol. Centralization in projects can present a major risk to crypto projects. For more information on centralization risks, read our blog What is Centralization Risk?

A CertiK Audit can recognize and neutralize incidents before malicious actors can exploit and steal funds. Protect yourself and your assets by following @CertiKAlert on Twitter to stay up to date on all the latest Web3 security news, visiting certik.com and skynet.certik.com as part of your due diligence.