QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$32 000 000 USD
MARCH 2021
GLOBAL
MEERKAT FINANCE
DESCRIPTION OF EVENTS
"Meerkat Finance was a protocol that focused on yield farming. It replicated the popular DeFi platform Yearn.Finance, although the former launched on Binance Smart Chain. On the other hand, Yearn uses the Ethereum blockchain, which is the most popular smart contract network for DeFi applications." "Meerkat was a yield vault project that forked Yearn.Finance’s code — one of many forks of Ethereum-native protocols that populate BSC."
"The DeFi project was drained of 13.96 million BUSD and 73,653 BNB (both Binance tokens), adding up to over $31 million in total." "This DeFi investment platform was barely debuting on the Binance Smart Chain (BSC) when the supposed hack happened." "Decentralized finance project Meerkat Finance has claimed it was drained of $31 million in crypto assets just one day after launching on the Binance Smart Chain." "The team behind Meerkat Finance, a yield farming pool running on the Binance Smart Chain that went live just one day ago, claimed in its official Telegram channel around 9:00 UTC on Thursday that its smart contract vault was compromised."
"The Meerkat’s BNB-BUSD Vault 1 was compromised. According to the reports, the hackers changed the ownership of the smart contract and started to withdraw the funds available there. This way, around $17.67m in BNB and $13.9 in BUSD were robbed."
"However, there are suspicions it may not be a simple case of a hack, as on-chain data points to the original Meerkat deployer’s account being used to alter the smart contract, per the report. Unless the project’s private key was compromised, this suggests it being carried out by Meerkat itself." "Backing up fears of an exit scam are the disappearance of Meerkat’s website and Twitter profile." "The Meerkat team initially responded to the transactions, claiming they were the result of an external hack. However, they have since been silent, with users unable to access the MKAT application or website." “This may be the largest fraud project on the Binance Smart Blockchain,” tweeted Wu Blockchain, a prominent Chinese crypto blogger.
"Distressed users reached out to Binance CEO Chanpeng Zhao, hoping that the CEO can track down the money. CZ has not replied to any comment on Twitter." "A Binance representative said in the exchange's official Chinese Telegram channel that they have noticed the abnormality of the Meerkat project and is working with auditing firms Certik, PeckShield and Slowmist to investigate." "It appears that victims have formed a "Meerkat_Rugpull" chat group on Telegram to post updates on the issue with 135 members already."
"At 5:30 AM UTC today, a Meerkat Finance developer identifying themselves as “Jamboo” posted a short message in a newly-created Telegram channel, “Meerkatrefunds.” In it, Jamboo said that the exploit was a “trial” testing user's greed and “subjectivity,” and that the team was preparing to refund all victims." "Jamboo provided proof of their association with Meerkat by sending a small transaction from the Meerkat deployer, demonstrating that they have access to the exploited contract (or communicates with someone who does). The transaction was processed on the Binance Smart Chain network roughly twenty minutes after Jamboo’s Telegram post."
"Members of the Meerkat Finance team carried out the exploit with a compromised smart contract using a key that belonged to the Meerkat Finance development team. This allowed the attackers, internal Meerkat Finance developers, to change the core business logic and withdraw users funds from the projects vaults and distribute them to new addresses in an attempt to run away with the stolen funds." "[T]he activity on the hacker addresses shows that the transactions are primarily conducted using DeFi avenues like PancakeSwap instead of moving to a centralized exchange."
"The legal team at Binance began the preparations for the legal pursuit of the suspect and any co-conspirators and sent a legal notice to the identified perpetrator, informing about the upcoming legal action. The attacker used the internal key in this exploit, which indicates that this might have been an inside job rather than an external attack."
"Shortly after the incident, Meerkat Finance launched a refund program under heavy pressure from the BSC community and its partners. Although the procedure is a bit complex and requires victims to interact directly with a new smart contract, as of this moment, at least 95% (~$30m) of users losses have been recovered successfully, with ongoing distributions to remaining victims." "This is historically the largest recovery of funds the Binance security team has participated in. We believe that every victim of this rug pull will receive their stolen funds back."
"In the past, the Binance security team has helped numerous community members recover lost funds, including a near-complete recovery of funds lost in another DeFi scam, valued at an estimated $344,000 USD, in November 2020."
The team at Meerkat Finance launched a smart contract which enabled future upgrades based on a private key they held. They then used the private key to upgrade the contract such that they could withdraw all of the funds.
It was only through the involvement of the Binance team that affected users were able to get their funds back.
HOW COULD THIS HAVE BEEN PREVENTED?
Of particular concern should be any backdoors into smart contracts which exist. In the wrong hands, these could enable a malicious modification of the contract.
Like anything else, the use of multi-signature setups and proper offline storage of keys are of paramount importance.
Rekt - Leaderboard (May 13)
Rekt - Meerkat Finance - BSC - REKT (May 16)
DeFi Project Meerkat Raises Eyebrows With Claimed $31M Hack a Day After Launch - CoinDesk (May 17)
Dev says $31 million Meerkat Finance exploit was a ‘test’; will return funds (May 17)
DeFi Project Meerkat Raises Eyebrows With Claimed $31M Hack a Day After Launch (May 17)
Binance Chain DeFi Project ‘Loses’ $31 Million a Day After Launch - Decrypt (May 17)
Rug pull? DeFi project Meerkat drained by $31M on Binance Smart Chain (May 17)
$200 million stolen in 5 days via DeFi - CoinGeek (May 17)
Binance Smart Chain DeFi Project Hacked for $31 Million | Crypto Briefing (May 17)
DeFi attackers go big: over $68m were hacked to Meerkat and Paid (May 17)
Meerkat Finance Alleged of $31m Exit Scam After BSC Launch (May 17)
DeFi Project Meerkat Suspected of $31 Million Rug-Pull - BeInCrypto (May 17)
How Binance Security team helped recover $30M funds from Meerkat Finance Hack (May 17)
Binance Smart Chain or Binance Scam Chain?- Here's what you need to know | ItsBlockchain (Jun 20)
SlowMist Hacked - SlowMist Zone (May 18)