Meerkat Finance Rug Pull: Difference between revisions
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/meerkatfinancerugpull.php}} thumb|Meerkat FinanceThe team at Meerkat Finance launched a smart contract which enabled future upgrades based on a private key they held. They then used the private key to upgrade the contract such that they could withdraw all of the funds. It was only through the involvement of the Binance team that affected users were able to get their funds bac...") |
No edit summary |
||
| Line 1: | Line 1: | ||
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/meerkatfinancerugpull.php}} | {{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/meerkatfinancerugpull.php}} | ||
{{Unattributed Citations}} | |||
[[File:Meerkat.jpg|thumb|Meerkat Finance]]The team at Meerkat Finance launched a smart contract which enabled future upgrades based on a private key they held. They then used the private key to upgrade the contract such that they could withdraw all of the funds. | [[File:Meerkat.jpg|thumb|Meerkat Finance]]The team at Meerkat Finance launched a smart contract which enabled future upgrades based on a private key they held. They then used the private key to upgrade the contract such that they could withdraw all of the funds. | ||
| Line 6: | Line 7: | ||
This is a global/international case not involving a specific country. | This is a global/international case not involving a specific country. | ||
<ref name="rekt-513" /><ref name="rekt-647" /><ref name="coindesk-648" /><ref name="cointelegraph-649" /><ref name="yahoonews-650" /><ref name="decrypt-651" /><ref name="theblockcrypto-652" /><ref name="coingeek-653" /><ref name="cryptobriefing-654" /><ref name="alfablog-655" /><ref name="investingdotcom-656" /><ref name="beincrypto-657" /><ref name="binancesocial-658" /><ref name="blockchaindotcom-1149" /><ref name="slowmisthacked-678" /> | |||
== About Meerkat Finance == | == About Meerkat Finance == | ||
| Line 43: | Line 45: | ||
Don't Include: | Don't Include: | ||
* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed. | * Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed. | ||
* Anything that wasn't reasonably knowable at the time of the event. | * Anything that wasn't reasonably knowable at the time of the event. | ||
| Line 65: | Line 66: | ||
|- | |- | ||
|March 4th, 2021 12:00:00 AM | |March 4th, 2021 12:00:00 AM | ||
| | |Main Event | ||
| | |Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | ||
|- | |- | ||
| | | | ||
| Line 78: | Line 75: | ||
== Total Amount Lost == | == Total Amount Lost == | ||
The total amount lost | The total amount lost has been estimated at $32,000,000 USD. | ||
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie? | How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie? | ||
| Line 89: | Line 86: | ||
== Total Amount Recovered == | == Total Amount Recovered == | ||
There do not appear to have been any funds recovered in this case. | |||
What funds were recovered? What funds were reimbursed for those affected users? | What funds were recovered? What funds were reimbursed for those affected users? | ||
| Line 102: | Line 99: | ||
== References == | == References == | ||
[https://rekt.news/leaderboard/ Rekt - Leaderboard] (May 12) | <references><ref name="rekt-513">[https://rekt.news/leaderboard/ Rekt - Leaderboard] (May 12, 2021)</ref> | ||
[https://rekt.news/meerkat-finance-bsc-rekt/ Rekt - Meerkat Finance - BSC - REKT] (May 15) | <ref name="rekt-647">[https://rekt.news/meerkat-finance-bsc-rekt/ Rekt - Meerkat Finance - BSC - REKT] (May 15, 2021)</ref> | ||
[https://www.coindesk.com/defi-project-meerkat-raises-eyebrows-with-claimed-31m-hack-a-day-after-launch DeFi Project Meerkat Raises Eyebrows With Claimed $31M Hack a Day After Launch - CoinDesk] (May 16) | <ref name="coindesk-648">[https://www.coindesk.com/defi-project-meerkat-raises-eyebrows-with-claimed-31m-hack-a-day-after-launch DeFi Project Meerkat Raises Eyebrows With Claimed $31M Hack a Day After Launch - CoinDesk] (May 16, 2021)</ref> | ||
[https://cointelegraph.com/news/dev-says-31-million-meerkat-finance-exploit-was-a-test-will-return-funds Dev says $31 million Meerkat Finance exploit was a ‘test’; will return funds] (May 16) | <ref name="cointelegraph-649">[https://cointelegraph.com/news/dev-says-31-million-meerkat-finance-exploit-was-a-test-will-return-funds Dev says $31 million Meerkat Finance exploit was a ‘test’; will return funds] (May 16, 2021)</ref> | ||
[https://ca.news.yahoo.com/defi-project-meerkat-raises-eyebrows-144425368.html DeFi Project Meerkat Raises Eyebrows With Claimed $31M Hack a Day After Launch] (May 16) | <ref name="yahoonews-650">[https://ca.news.yahoo.com/defi-project-meerkat-raises-eyebrows-144425368.html DeFi Project Meerkat Raises Eyebrows With Claimed $31M Hack a Day After Launch] (May 16, 2021)</ref> | ||
[https://decrypt.co/60242/binance-chain-defi-meerkat-finance-hack-rug-pull Binance Chain DeFi Project ‘Loses’ $31 Million a Day After Launch - Decrypt] (May 16) | <ref name="decrypt-651">[https://decrypt.co/60242/binance-chain-defi-meerkat-finance-hack-rug-pull Binance Chain DeFi Project ‘Loses’ $31 Million a Day After Launch - Decrypt] (May 16, 2021)</ref> | ||
[https://www.theblockcrypto.com/linked/97082/rug-pull-defi-meerkat-31-million Rug pull? DeFi project Meerkat drained by $31M on Binance Smart Chain] (May 16) | <ref name="theblockcrypto-652">[https://www.theblockcrypto.com/linked/97082/rug-pull-defi-meerkat-31-million Rug pull? DeFi project Meerkat drained by $31M on Binance Smart Chain] (May 16, 2021)</ref> | ||
[https://coingeek.com/200-million-stolen-5-days-via-defi/ $200 million stolen in 5 days via DeFi - CoinGeek] (May 16) | <ref name="coingeek-653">[https://coingeek.com/200-million-stolen-5-days-via-defi/ $200 million stolen in 5 days via DeFi - CoinGeek] (May 16, 2021)</ref> | ||
[https://cryptobriefing.com/binance-smart-chain-defi-project-hacked-31-million/ Binance Smart Chain DeFi Project Hacked for $31 Million | Crypto Briefing] (May 16) | <ref name="cryptobriefing-654">[https://cryptobriefing.com/binance-smart-chain-defi-project-hacked-31-million/ Binance Smart Chain DeFi Project Hacked for $31 Million | Crypto Briefing] (May 16, 2021)</ref> | ||
[https://blog.alfa.cash/2021/03/06/defi-attackers-go-big-68m-hacked-meerkat-paid/ DeFi attackers go big: over $68m were hacked to Meerkat and Paid] (May 16) | <ref name="alfablog-655">[https://blog.alfa.cash/2021/03/06/defi-attackers-go-big-68m-hacked-meerkat-paid/ DeFi attackers go big: over $68m were hacked to Meerkat and Paid] (May 16, 2021)</ref> | ||
[https://www.investing.com/news/cryptocurrency-news/meerkat-finance-alleged-of-31m-exit-scam-after-bsc-launch-2438497 Meerkat Finance Alleged of $31m Exit Scam After BSC Launch] (May 16) | <ref name="investingdotcom-656">[https://www.investing.com/news/cryptocurrency-news/meerkat-finance-alleged-of-31m-exit-scam-after-bsc-launch-2438497 Meerkat Finance Alleged of $31m Exit Scam After BSC Launch] (May 16, 2021)</ref> | ||
[https://beincrypto.com/defi-project-meerkat-suspected-of-31-million-rug-pull/ DeFi Project Meerkat Suspected of $31 Million Rug-Pull - BeInCrypto] (May 16) | <ref name="beincrypto-657">[https://beincrypto.com/defi-project-meerkat-suspected-of-31-million-rug-pull/ DeFi Project Meerkat Suspected of $31 Million Rug-Pull - BeInCrypto] (May 16, 2021)</ref> | ||
[https://binancesocial.com/how-binance-security-team-helped-recover-30m-funds-from-meerkat-finance-hack-0513681 How Binance Security team helped recover $30M funds from Meerkat Finance Hack] (May 16) | <ref name="binancesocial-658">[https://binancesocial.com/how-binance-security-team-helped-recover-30m-funds-from-meerkat-finance-hack-0513681 How Binance Security team helped recover $30M funds from Meerkat Finance Hack] (May 16, 2021)</ref> | ||
[https://itsblockchain.com/binance-smart-chain-rug-pulls/ Binance Smart Chain or Binance Scam Chain?- Here's what you need to know | ItsBlockchain] (Jun 19) | <ref name="blockchaindotcom-1149">[https://itsblockchain.com/binance-smart-chain-rug-pulls/ Binance Smart Chain or Binance Scam Chain?- Here's what you need to know | ItsBlockchain] (Jun 19, 2021)</ref> | ||
[https://hacked.slowmist.io/en/?c=ETH%20DApp SlowMist Hacked - SlowMist Zone] (May 17) | <ref name="slowmisthacked-678">[https://hacked.slowmist.io/en/?c=ETH%20DApp SlowMist Hacked - SlowMist Zone] (May 17, 2021)</ref></references> | ||
Revision as of 13:57, 17 February 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
The team at Meerkat Finance launched a smart contract which enabled future upgrades based on a private key they held. They then used the private key to upgrade the contract such that they could withdraw all of the funds.
It was only through the involvement of the Binance team that affected users were able to get their funds back.
This is a global/international case not involving a specific country. [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15]
About Meerkat Finance
"Meerkat Finance was a protocol that focused on yield farming. It replicated the popular DeFi platform Yearn.Finance, although the former launched on Binance Smart Chain. On the other hand, Yearn uses the Ethereum blockchain, which is the most popular smart contract network for DeFi applications." "Meerkat was a yield vault project that forked Yearn.Finance’s code — one of many forks of Ethereum-native protocols that populate BSC."
"The DeFi project was drained of 13.96 million BUSD and 73,653 BNB (both Binance tokens), adding up to over $31 million in total." "This DeFi investment platform was barely debuting on the Binance Smart Chain (BSC) when the supposed hack happened." "Decentralized finance project Meerkat Finance has claimed it was drained of $31 million in crypto assets just one day after launching on the Binance Smart Chain." "The team behind Meerkat Finance, a yield farming pool running on the Binance Smart Chain that went live just one day ago, claimed in its official Telegram channel around 9:00 UTC on Thursday that its smart contract vault was compromised."
"The Meerkat’s BNB-BUSD Vault 1 was compromised. According to the reports, the hackers changed the ownership of the smart contract and started to withdraw the funds available there. This way, around $17.67m in BNB and $13.9 in BUSD were robbed."
"However, there are suspicions it may not be a simple case of a hack, as on-chain data points to the original Meerkat deployer’s account being used to alter the smart contract, per the report. Unless the project’s private key was compromised, this suggests it being carried out by Meerkat itself." "Backing up fears of an exit scam are the disappearance of Meerkat’s website and Twitter profile." "The Meerkat team initially responded to the transactions, claiming they were the result of an external hack. However, they have since been silent, with users unable to access the MKAT application or website." “This may be the largest fraud project on the Binance Smart Blockchain,” tweeted Wu Blockchain, a prominent Chinese crypto blogger.
"Distressed users reached out to Binance CEO Chanpeng Zhao, hoping that the CEO can track down the money. CZ has not replied to any comment on Twitter." "A Binance representative said in the exchange's official Chinese Telegram channel that they have noticed the abnormality of the Meerkat project and is working with auditing firms Certik, PeckShield and Slowmist to investigate." "It appears that victims have formed a "Meerkat_Rugpull" chat group on Telegram to post updates on the issue with 135 members already."
"At 5:30 AM UTC today, a Meerkat Finance developer identifying themselves as “Jamboo” posted a short message in a newly-created Telegram channel, “Meerkatrefunds.” In it, Jamboo said that the exploit was a “trial” testing user's greed and “subjectivity,” and that the team was preparing to refund all victims." "Jamboo provided proof of their association with Meerkat by sending a small transaction from the Meerkat deployer, demonstrating that they have access to the exploited contract (or communicates with someone who does). The transaction was processed on the Binance Smart Chain network roughly twenty minutes after Jamboo’s Telegram post."
"Members of the Meerkat Finance team carried out the exploit with a compromised smart contract using a key that belonged to the Meerkat Finance development team. This allowed the attackers, internal Meerkat Finance developers, to change the core business logic and withdraw users funds from the projects vaults and distribute them to new addresses in an attempt to run away with the stolen funds." "[T]he activity on the hacker addresses shows that the transactions are primarily conducted using DeFi avenues like PancakeSwap instead of moving to a centralized exchange."
"The legal team at Binance began the preparations for the legal pursuit of the suspect and any co-conspirators and sent a legal notice to the identified perpetrator, informing about the upcoming legal action. The attacker used the internal key in this exploit, which indicates that this might have been an inside job rather than an external attack."
"Shortly after the incident, Meerkat Finance launched a refund program under heavy pressure from the BSC community and its partners. Although the procedure is a bit complex and requires victims to interact directly with a new smart contract, as of this moment, at least 95% (~$30m) of users losses have been recovered successfully, with ongoing distributions to remaining victims." "This is historically the largest recovery of funds the Binance security team has participated in. We believe that every victim of this rug pull will receive their stolen funds back."
"In the past, the Binance security team has helped numerous community members recover lost funds, including a near-complete recovery of funds lost in another DeFi scam, valued at an estimated $344,000 USD, in November 2020."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| March 4th, 2021 12:00:00 AM | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Total Amount Lost
The total amount lost has been estimated at $32,000,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Prevention Policies
Of particular concern should be any backdoors into smart contracts which exist. In the wrong hands, these could enable a malicious modification of the contract.
Like anything else, the use of multi-signature setups and proper offline storage of keys are of paramount importance.
References
- ↑ Rekt - Leaderboard (May 12, 2021)
- ↑ Rekt - Meerkat Finance - BSC - REKT (May 15, 2021)
- ↑ DeFi Project Meerkat Raises Eyebrows With Claimed $31M Hack a Day After Launch - CoinDesk (May 16, 2021)
- ↑ Dev says $31 million Meerkat Finance exploit was a ‘test’; will return funds (May 16, 2021)
- ↑ DeFi Project Meerkat Raises Eyebrows With Claimed $31M Hack a Day After Launch (May 16, 2021)
- ↑ Binance Chain DeFi Project ‘Loses’ $31 Million a Day After Launch - Decrypt (May 16, 2021)
- ↑ Rug pull? DeFi project Meerkat drained by $31M on Binance Smart Chain (May 16, 2021)
- ↑ $200 million stolen in 5 days via DeFi - CoinGeek (May 16, 2021)
- ↑ Binance Smart Chain DeFi Project Hacked for $31 Million | Crypto Briefing (May 16, 2021)
- ↑ DeFi attackers go big: over $68m were hacked to Meerkat and Paid (May 16, 2021)
- ↑ Meerkat Finance Alleged of $31m Exit Scam After BSC Launch (May 16, 2021)
- ↑ DeFi Project Meerkat Suspected of $31 Million Rug-Pull - BeInCrypto (May 16, 2021)
- ↑ Binance Smart Chain or Binance Scam Chain?- Here's what you need to know | ItsBlockchain (Jun 19, 2021)
- ↑ SlowMist Hacked - SlowMist Zone (May 17, 2021)