defirisk.co
rubric v1.7.0

Kokomo Finance: Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits

Kokomo Finance was a lending protocol on Optimism, less than a week old at time of the rug, with its KOKO token launched just 36 hours before. The attack was conducted by the protocol's own deployer.

Occurred 2023-03-26 Loss $4M Status closed

Summary #

Kokomo Finance suffered a Lending / Money Market (Compound V2 fork) on 2023-03-26, resulting in a loss of approximately $4M.

What happened #

Kokomo Finance was a lending protocol on Optimism, less than a week old at time of the rug, with its KOKO token launched just 36 hours before. The attack was conducted by the protocol's own deployer.

Linked factors #

  • RD-F-001 — causal : ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — the lending/vault contracts were not audited]
  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited lending contracts]
  • RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Y — newly launched; malicious implementation deployed as part of the attack] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None]
  • RD-F-076 — causal : Protocol age (days since first mainnet deploy) [via cross-hack: Factor 35: Protocol Age < 2 Weeks at Time of Hack]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — the malicious implementation upgrade is the attack mechanism]
  • RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Fully anonymous]
  • RD-F-122 — related : Contributor paid to wallet routing to known DPRK cluster [via cross-hack: Factor 34: Suspected Insider Involvement]
  • RD-F-123 — causal : ★ Sudden admin-rescue / ACL change absent issue/PR discussion [via cross-hack: Factor 34: Suspected Insider Involvement]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Yes — Compound V2 fork]
  • RD-F-127 — related : Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Yes — Compound V2 fork]
  • RD-F-141 — related : Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
  • RD-F-146 — related : New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]