Developers behind the Optimism-based lending platform Kokomo Finance seemed to have conducted an exit scam over the weekend after manipulating tokens on the protocol to effectively steal $4 million in user funds.
An exit scam is said to occur when developers or promoters of a crypto project seem to market a legitimate-looking project to investors, only to pull liquidity and erase their online or offline presence once a sizable amount of money has been attracted to that project.
On Sunday night, Kokomo developers deployed an attack contract cBTC from the main address of KOKO, Kokomo’s native tokens. They then set the reward speed, paused a borrow feature and created a malicious contract to interact with the rest of the protocol, security firm CertiK said.
cBTC is a wrapped bitcoin derivative issued on the Ethereum network. The issuance of the token was ultimately used to trick the protocol into falsely believing it had more liquidity when there was none.
Another developer address was then used to maliciously approve a transfer of spending more than 7,000 sonne wrapped bitcoins, another bitcoin derivative token on Ethereum. Those tokens were then used to swap all user-supplied liquidity to Kokomo, amounting to over $4 million.
Social-media accounts and the Kokomo website were quickly deleted in the following and were inaccessible during Asian morning hours.
Meanwhile, KOKO tokens fell 97%, wiping nearly all value for holders.
The exit scam was the latest in line of a number of growing attacks and exploits in the crypto market. Earlier this month, Euler Finance, another lending platform, was exploited for $200 million.