Kannagi Finance: Insider rug — privileged admin withdrawal on behalf of users (MainChef address)

Summary #

Kannagi Finance suffered a Yield Aggregator on 2023-07-29, resulting in a loss of approximately $1M.

What happened #

Kannagi Finance was a yield aggregator on zkSync Era with $2.1M TVL. The protocol had been audited twice and was endorsed (via a now-deleted giveaway tweet) by SyncSwap, the leading zkSync DEX.

Linked factors #

• RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Y — newly launched]
• RD-F-007 — causal : Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None]
• RD-F-008 — causal : Ignored disclosure — closest [via cross-hack: Factor 19: Audit Finding Not Communicated to Team]
• RD-F-043 — causal : ★ Admin = deployer EOA + no multisig transfer within 7 days [via cross-hack: Factor 24: Retained Developer Admin Role Post-Deployment]
• RD-F-076 — related : Protocol age (Cat 5 — < 6 months age signal) [via dashboard_risk_factors/Protocol age: Launched ~weeks before rug; newly deployed]
• RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — the privileged withdrawal was the attack mechanism itself]
• RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Fully anonymous]
• RD-F-122 — related : Contributor paid to wallet routing to known DPRK cluster [via cross-hack: Factor 34: Suspected Insider Involvement]
• RD-F-123 — causal : ★ Sudden admin-rescue / ACL change absent issue/PR discussion [via cross-hack: Factor 34: Suspected Insider Involvement]