$32 000 000 USD

MARCH 2021

GLOBAL

MEERKAT FINANCE

DESCRIPTION OF EVENTS

"Meerkat Finance was a protocol that focused on yield farming. It replicated the popular DeFi platform Yearn.Finance, although the former launched on Binance Smart Chain. On the other hand, Yearn uses the Ethereum blockchain, which is the most popular smart contract network for DeFi applications." "Meerkat was a yield vault project that forked Yearn.Finance’s code — one of many forks of Ethereum-native protocols that populate BSC."

 

"The DeFi project was drained of 13.96 million BUSD and 73,653 BNB (both Binance tokens), adding up to over $31 million in total." "This DeFi investment platform was barely debuting on the Binance Smart Chain (BSC) when the supposed hack happened." "Decentralized finance project Meerkat Finance has claimed it was drained of $31 million in crypto assets just one day after launching on the Binance Smart Chain." "The team behind Meerkat Finance, a yield farming pool running on the Binance Smart Chain that went live just one day ago, claimed in its official Telegram channel around 9:00 UTC on Thursday that its smart contract vault was compromised."

 

"The Meerkat’s BNB-BUSD Vault 1 was compromised. According to the reports, the hackers changed the ownership of the smart contract and started to withdraw the funds available there. This way, around $17.67m in BNB and $13.9 in BUSD were robbed."

 

"However, there are suspicions it may not be a simple case of a hack, as on-chain data points to the original Meerkat deployer’s account being used to alter the smart contract, per the report. Unless the project’s private key was compromised, this suggests it being carried out by Meerkat itself." "Backing up fears of an exit scam are the disappearance of Meerkat’s website and Twitter profile." "The Meerkat team initially responded to the transactions, claiming they were the result of an external hack. However, they have since been silent, with users unable to access the MKAT application or website." “This may be the largest fraud project on the Binance Smart Blockchain,” tweeted Wu Blockchain, a prominent Chinese crypto blogger.

 

"Distressed users reached out to Binance CEO Chanpeng Zhao, hoping that the CEO can track down the money. CZ has not replied to any comment on Twitter." "A Binance representative said in the exchange's official Chinese Telegram channel that they have noticed the abnormality of the Meerkat project and is working with auditing firms Certik, PeckShield and Slowmist to investigate." "It appears that victims have formed a "Meerkat_Rugpull" chat group on Telegram to post updates on the issue with 135 members already."

 

"At 5:30 AM UTC today, a Meerkat Finance developer identifying themselves as “Jamboo” posted a short message in a newly-created Telegram channel, “Meerkatrefunds.” In it, Jamboo said that the exploit was a “trial” testing user's greed and “subjectivity,” and that the team was preparing to refund all victims." "Jamboo provided proof of their association with Meerkat by sending a small transaction from the Meerkat deployer, demonstrating that they have access to the exploited contract (or communicates with someone who does). The transaction was processed on the Binance Smart Chain network roughly twenty minutes after Jamboo’s Telegram post."

 

"Members of the Meerkat Finance team carried out the exploit with a compromised smart contract using a key that belonged to the Meerkat Finance development team. This allowed the attackers, internal Meerkat Finance developers, to change the core business logic and withdraw users funds from the projects vaults and distribute them to new addresses in an attempt to run away with the stolen funds." "[T]he activity on the hacker addresses shows that the transactions are primarily conducted using DeFi avenues like PancakeSwap instead of moving to a centralized exchange."

 

"The legal team at Binance began the preparations for the legal pursuit of the suspect and any co-conspirators and sent a legal notice to the identified perpetrator, informing about the upcoming legal action. The attacker used the internal key in this exploit, which indicates that this might have been an inside job rather than an external attack."

 

"Shortly after the incident, Meerkat Finance launched a refund program under heavy pressure from the BSC community and its partners. Although the procedure is a bit complex and requires victims to interact directly with a new smart contract, as of this moment, at least 95% (~$30m) of users losses have been recovered successfully, with ongoing distributions to remaining victims." "This is historically the largest recovery of funds the Binance security team has participated in. We believe that every victim of this rug pull will receive their stolen funds back."

 

"In the past, the Binance security team has helped numerous community members recover lost funds, including a near-complete recovery of funds lost in another DeFi scam, valued at an estimated $344,000 USD, in November 2020."

The team at Meerkat Finance launched a smart contract which enabled future upgrades based on a private key they held. They then used the private key to upgrade the contract such that they could withdraw all of the funds.

 

It was only through the involvement of the Binance team that affected users were able to get their funds back.

HOW COULD THIS HAVE BEEN PREVENTED?

Of particular concern should be any backdoors into smart contracts which exist. In the wrong hands, these could enable a malicious modification of the contract.

 

Like anything else, the use of multi-signature setups and proper offline storage of keys are of paramount importance.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.