Kokomo Finance Lending Protocol Exit Scam

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Kokomo Finance Promotion

Kokomo Finance was a newly launched open-source and non-custodial lending protocol built on Optimism and Arbitrum. It allowed users to lend and borrow digital assets, and its token KOKO had a 14-day genesis mining program. The protocol's audit, conducted by 0xGuard, only covered the token contract, not the entire protocol. Within a week of its launch, the protocol was exploited, resulting in the loss of around $4M, and the project's website, Twitter, GitHub, and Medium accounts were deleted. The attacker targeted the wrapped Bitcoin deposits, and even though $2M of tokens still remain in the project's pools on Optimism, the contracts are paused, and users can't withdraw funds. Kokomo Finance is unlikely to recover.

About Kokomo Finance


"Kokomo Finance [was] an open source and non-custodial lending protocol on Optimism and Arbitrum."

"Kokomo Finance, an open source and non-custodial lending protocol. Enter http://kokomo.finance to lend, borrow and earn $KOKO here. A 14-days genesis mining starts now with a decent APR!"

"Hola Degen! After a long research, found a permission-less lending protocol to help the user to lend and borrow digital assets. The name of protocol is - @KokomoFinance which is built on @optimismFND Now lets jump to some depth of this protocol"

"The project’s audit, conducted by 0xGuard, covered just the token contract, rather than the protocol at large."

"1/ The deployer of KOKO Token, address 0x41BE, deployed attack contract cBTC. Then set the reward speed, paused the borrow and set the implementation contract into a malicious one.

2/ Address 0x5a2d… approved the cBTC contract to spend the 7010 sonne WBTC.

3/ Since the implementation contract has been upgraded to the malicious cBTC contract, the attacker called 0x804edaad method to transfer sonne WBTC to address 0x5C8d.

4/ Finally, the address 0x5C8d.. swapped 7010 sonne WBTC to 141 WBTC (~4M) for profit."

"The lending protocol had launched on Optimism less than a week ago, and its token, KOKO, less than 36 hours before the rug."

"Kokomo Finance took off with approximately $4M, deleting their website, Twitter, GitHub and Medium in the process."

"Wrapped Bitcoin deposits were rugged via changes made by the project’s deployer address. Almost $2M of tokens still remain in the project’s pools on Optimism.

But with the contracts paused and users unable to withdraw funds, the question remains…

…will they be back for the rest?"

"Whatever the future holds for Optimism, one thing’s for certain:

Kokomo has flatlined."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.


  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

Two Audits By 0xGuard

The Kokomo Finance protocol was audited twice by the 0xGuard firm[5].

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Kokomo Finance Lending Protocol Exit Scam
Date Event Description
March 13th, 2023 2:21:00 AM MDT Promotion on Twitter Started The Kokomo Finance scheme is starting to be promoted on Twitter[6][7][8][9][10][11][12].
March 14th, 2023 3:28:00 AM MDT Promotion Still Underway The Kokomo Finance scheme is still under heavy promotion via Twitter[13][14][15].
March 14th, 2023 12:25:04 PM MDT Domain Pending Registration The kokomo.finance website shows that the domain is still pending WHOIS contact verification[16].
March 17th, 2023 12:21:00 AM MDT 0xGuard Audit Started Audit firm 0xGuard announces that they've started an audit of the Kokomo Finance protocol[17].
March 22nd, 2023 12:53:00 AM MDT Second 0xGuard Audit Published Audit firm 0xGuard publishes a second audit on Twitter[18].[5]
March 22nd, 2023 9:28:00 AM MDT Listed On List of New Projects Kokomo Finance is included in a list of newly launched blockchain projects[19].
March 23rd, 2023 7:07:00 AM MDT Optimism Space Tweet Optimism Space tweets about the protocol[20].
March 23rd, 2023 10:05:00 AM MDT DefiLlama Promotion on Twitter DefiLlama announces they are now tracking Kokomo Finance[21].
March 25th, 2023 12:36:00 AM MDT CryptoLeeY Promotion Tweet CryptoLeeY publishes an analysis of the Kokomo Finance protocol[22]. TBD expand and get the information out.
March 25th, 2023 1:34:00 AM MDT Optimism Economy Promotion The Optimism Economy Tweets about the Kokomo Finance project, an open-source and non-custodial lending protocol[23].
March 25th, 2023 4:07:00 AM MDT Kokomo Finance Lists on CoinGecko The Kokomo Finance KOKO coin is listed on CoinGecko[24].
March 26th, 2023 9:58:05 AM MDT Exit Scam Transaction The blockchain transaction to remove liquidity from the smart contract[25].
March 26th, 2023 2:43:00 PM MDT UnoIntern Announcement Twitter user UnoIntern reports about the rug pull happening[26].
March 26th, 2023 11:33:48 PM MDT CoinTelegraph Article CoinTelegraph posts an article on the situation[27]. Optimism-based lending protocol Kokomo Finance is suspected of carrying out a $4 million "exit scam" after its social media and website went offline, while the price of its KOKO token fell by over 95% in a matter of minutes. Security firm CertiK alerted its followers to the alleged scam in a tweet, noting that the KOKO token plummeted in value. CertiK said that the deployer of KOKO attacked the smart contract code of a wrapped Bitcoin token, cBTC, by resetting the reward speed and pausing the borrow function, before approving the new cBTC smart contract to spend over 7000 Sonne Wrapped Bitcoin (So-WBTC). The attacker then swapped the So-WBTC to another address, producing a $4 million profit. Kokomo Finance's smart contract audit passed most aspects, but had typographical errors and the owner of the KOKO token had the ability to mint 45% of the maximum supply to an arbitrary address[28].
March 27th, 2023 9:24:32 AM MDT YouTube Video A YouTube video about the crash is posted[29].
March 27th, 2023 2:12:00 PM MDT RektHQ Article Posted The situation is posted on RektHQ[30]. Kokomo Finance, a lending protocol built on Optimism, has reportedly rug-pulled, leaving with $4 million in stolen wrapped Bitcoin deposits. The protocol had launched less than a week ago, and its token, KOKO, had been introduced 36 hours before the rug pull. The project deleted its website, Twitter, GitHub and Medium in the process. Wrapped Bitcoin deposits were stolen through changes made by the project’s deployer address. Despite almost $2 million of tokens remaining in the project’s pools on Optimism, the contracts have been paused, and users cannot withdraw funds. The incident is the largest to date to affect Optimism, leading to questions about whether this incident signals a changing tide amongst Ethereum’s most popular scaling solutions[31].
March 30th, 2023 1:59:31 AM MDT CoinMonks Article Published CoinMonks publishes an article about the situation[32]. TBD more details.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $4,000,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.


  1. Kokomo Finance - DefiLlama (May 3, 2023)
  2. Medium (May 3, 2023)
  3. https://web.archive.org/web/20230328012441/https://github.com/KokomoFinance (May 3, 2023)
  4. @KokomoFinance Twitter (May 3, 2023)
  5. 5.0 5.1 Kokomo Finance Second Audit - 0xGuard (May 17, 2023)
  6. sidenzgiw - "Kokomo Finance" - Twitter (May 3, 2023)
  7. ohhellohana - "tg crzyhana, ko dc crzyhana#3713, kokomo finance" - Twitter (May 3, 2023)
  8. happykiyowokay - "Dc fah25#4410 Tg fah Kokomo finance" - Twitter (May 3, 2023)
  9. moemoea_ - "Kokomo finance proof Telegram usn La_moemoea Discord usn elfluffy#2082" - Twitter (May 3, 2023)
  10. Pamungkhaz - "Kokomo Finance DC+TG: Pamungkhaz." - Twitter (May 3, 2023)
  11. solaceyfeels - "kokomo finance" - Twitter (May 3, 2023)
  12. ro2noazero - "kokomo finance tg dc" - Twitter (May 3, 2023)
  13. semqngat - "raven tg discord kokomo finance tg name, usn: c, csemqngat discord: semqngat#8085" - Twitter (May 3, 2023)
  14. leehc0x - "tg: Melonsquash1 dc: imah#8628 #kokomofinance" - Twitter (May 3, 2023)
  15. PirotReborn - "Tg PirotFer Ferry DC FerreyPirot #0399 - KokomoFinance" - Twitter (May 3, 2023)
  16. Registrant WHOIS contact information verification | Namecheap.com Archive March 14th, 2023 12:25:04 PM MDT (May 3, 2023)
  17. 0xGuard - "We are happy to announce that we've started an audit of @KokomoFinance's smart contracts." - Twitter (May 3, 2023)
  18. 0xGuard - "New audit report by #0xGuard is available. Prepared for: @KokomoFinance" - Twitter (May 3, 2023)
  19. C4dotgg - "New Projects" - Twitter (May 3, 2023)
  20. Optimism_Space - "KOKOMO IS LIVE ON OPTIMISM Kokomo Finance, an open source and non-custodial lending protocol" - Twitter (May 3, 2023)
  21. DefiLlama - "Kokomo Finance, an open source and non-custodial lending protocol on Optimism and Arbitrum" - Twitter (May 3, 2023)
  22. CryptoLeeY - "Hola Degen! After a long research, found a permission-less lending protocol to help the user to lend and borrow digital assets." - Twitter (May 3, 2023)
  23. OptimismEconomy - "@KokomoFinance Live on @optimismFND ️#KokomoFinance is an open source and non-custodial lending protocol" - Twitter (May 3, 2023)
  24. CryptoNotifyBot - "New CoinGecko Listing Kokomo Finance / $koko" - Twitter (May 3, 2023)
  25. Optimistic L2 Theft Transaction - Optimism (May 3, 2023)
  26. UnoIntern - "Kokomo Finance Rug-pulled for $6M Stay cautious if you have interacted with its contracts!" - Twitter (May 3, 2023)
  27. CoinTelegraph - "A newly-launched lending protocol, Kokomo Finance has allegedly rug-pulled its users to the tune of $4 million just two days after going live on Optimism." - Twitter (May 3, 2023)
  28. $4M ‘exit scam’ suspected as Kokomo Finance flies off radar, token plunges - CoinTelegraph (May 3, 2023)
  30. RektHQ - "Another week, another rug. This time, @KokomoFinance took off with $4M, before deleting their online presence." - Twitter (May 3, 2023)
  31. Rekt - Kokomo Finance - REKT (May 3, 2023)
  32. Decoding Kokomo Finance $4 Million Rug Pull Quillaudits - CoinMonks Medium (May 3, 2023)

Cite error: <ref> tag with name "cointelegraph-10801" defined in <references> is not used in prior text.