Meerkat Finance Rug Pull

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 23:25, 25 January 2023 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/meerkatfinancerugpull.php}} thumb|Meerkat FinanceThe team at Meerkat Finance launched a smart contract which enabled future upgrades based on a private key they held. They then used the private key to upgrade the contract such that they could withdraw all of the funds. It was only through the involvement of the Binance team that affected users were able to get their funds bac...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Meerkat Finance

The team at Meerkat Finance launched a smart contract which enabled future upgrades based on a private key they held. They then used the private key to upgrade the contract such that they could withdraw all of the funds.

It was only through the involvement of the Binance team that affected users were able to get their funds back.

This is a global/international case not involving a specific country.

About Meerkat Finance

"Meerkat Finance was a protocol that focused on yield farming. It replicated the popular DeFi platform Yearn.Finance, although the former launched on Binance Smart Chain. On the other hand, Yearn uses the Ethereum blockchain, which is the most popular smart contract network for DeFi applications." "Meerkat was a yield vault project that forked Yearn.Finance’s code — one of many forks of Ethereum-native protocols that populate BSC."

"The DeFi project was drained of 13.96 million BUSD and 73,653 BNB (both Binance tokens), adding up to over $31 million in total." "This DeFi investment platform was barely debuting on the Binance Smart Chain (BSC) when the supposed hack happened." "Decentralized finance project Meerkat Finance has claimed it was drained of $31 million in crypto assets just one day after launching on the Binance Smart Chain." "The team behind Meerkat Finance, a yield farming pool running on the Binance Smart Chain that went live just one day ago, claimed in its official Telegram channel around 9:00 UTC on Thursday that its smart contract vault was compromised."

"The Meerkat’s BNB-BUSD Vault 1 was compromised. According to the reports, the hackers changed the ownership of the smart contract and started to withdraw the funds available there. This way, around $17.67m in BNB and $13.9 in BUSD were robbed."

"However, there are suspicions it may not be a simple case of a hack, as on-chain data points to the original Meerkat deployer’s account being used to alter the smart contract, per the report. Unless the project’s private key was compromised, this suggests it being carried out by Meerkat itself." "Backing up fears of an exit scam are the disappearance of Meerkat’s website and Twitter profile." "The Meerkat team initially responded to the transactions, claiming they were the result of an external hack. However, they have since been silent, with users unable to access the MKAT application or website." “This may be the largest fraud project on the Binance Smart Blockchain,” tweeted Wu Blockchain, a prominent Chinese crypto blogger.

"Distressed users reached out to Binance CEO Chanpeng Zhao, hoping that the CEO can track down the money. CZ has not replied to any comment on Twitter." "A Binance representative said in the exchange's official Chinese Telegram channel that they have noticed the abnormality of the Meerkat project and is working with auditing firms Certik, PeckShield and Slowmist to investigate." "It appears that victims have formed a "Meerkat_Rugpull" chat group on Telegram to post updates on the issue with 135 members already."

"At 5:30 AM UTC today, a Meerkat Finance developer identifying themselves as “Jamboo” posted a short message in a newly-created Telegram channel, “Meerkatrefunds.” In it, Jamboo said that the exploit was a “trial” testing user's greed and “subjectivity,” and that the team was preparing to refund all victims." "Jamboo provided proof of their association with Meerkat by sending a small transaction from the Meerkat deployer, demonstrating that they have access to the exploited contract (or communicates with someone who does). The transaction was processed on the Binance Smart Chain network roughly twenty minutes after Jamboo’s Telegram post."

"Members of the Meerkat Finance team carried out the exploit with a compromised smart contract using a key that belonged to the Meerkat Finance development team. This allowed the attackers, internal Meerkat Finance developers, to change the core business logic and withdraw users funds from the projects vaults and distribute them to new addresses in an attempt to run away with the stolen funds." "[T]he activity on the hacker addresses shows that the transactions are primarily conducted using DeFi avenues like PancakeSwap instead of moving to a centralized exchange."

"The legal team at Binance began the preparations for the legal pursuit of the suspect and any co-conspirators and sent a legal notice to the identified perpetrator, informing about the upcoming legal action. The attacker used the internal key in this exploit, which indicates that this might have been an inside job rather than an external attack."

"Shortly after the incident, Meerkat Finance launched a refund program under heavy pressure from the BSC community and its partners. Although the procedure is a bit complex and requires victims to interact directly with a new smart contract, as of this moment, at least 95% (~$30m) of users losses have been recovered successfully, with ongoing distributions to remaining victims." "This is historically the largest recovery of funds the Binance security team has participated in. We believe that every victim of this rug pull will receive their stolen funds back."

"In the past, the Binance security team has helped numerous community members recover lost funds, including a near-complete recovery of funds lost in another DeFi scam, valued at an estimated $344,000 USD, in November 2020."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Meerkat Finance Rug Pull
Date Event Description
March 4th, 2021 12:00:00 AM First Event This is an expanded description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

It is unknown how much was recovered.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

Of particular concern should be any backdoors into smart contracts which exist. In the wrong hands, these could enable a malicious modification of the contract.

Like anything else, the use of multi-signature setups and proper offline storage of keys are of paramount importance.

References

Rekt - Leaderboard (May 12)

Rekt - Meerkat Finance - BSC - REKT (May 15)

DeFi Project Meerkat Raises Eyebrows With Claimed $31M Hack a Day After Launch - CoinDesk (May 16)

Dev says $31 million Meerkat Finance exploit was a ‘test’; will return funds (May 16)

DeFi Project Meerkat Raises Eyebrows With Claimed $31M Hack a Day After Launch (May 16)

Binance Chain DeFi Project ‘Loses’ $31 Million a Day After Launch - Decrypt (May 16)

Rug pull? DeFi project Meerkat drained by $31M on Binance Smart Chain (May 16)

$200 million stolen in 5 days via DeFi - CoinGeek (May 16)

Binance Smart Chain DeFi Project Hacked for $31 Million | Crypto Briefing (May 16)

DeFi attackers go big: over $68m were hacked to Meerkat and Paid (May 16)

Meerkat Finance Alleged of $31m Exit Scam After BSC Launch (May 16)

DeFi Project Meerkat Suspected of $31 Million Rug-Pull - BeInCrypto (May 16)

How Binance Security team helped recover $30M funds from Meerkat Finance Hack (May 16)

Binance Smart Chain or Binance Scam Chain?- Here's what you need to know | ItsBlockchain (Jun 19)

SlowMist Hacked - SlowMist Zone (May 17)