Kokomo Finance - Hack Analysis (March 27, 2023)


Drop your email to read the BlockApex newsletter and keep yourself updated around the clock.

    Table Of Content



    Kokomo Finance, a lending protocol that had recently launched on Optimism, rug pulls users and disappears with approximately $4 million worth of tokens. The project’s token, KOKO, had only been launched less than 36 hours before the rug. The rug occurred through changes made by the project’s deployer address, which rugged Wrapped Bitcoin deposits. The project’s website, Twitter, GitHub, and Medium, were deleted soon after.

    Hack Impact

    Kokomo Finance has taken off with approximately $4 million worth of user funds, leaving users unable to withdraw their funds. Wrapped Bitcoin deposits were rugged, with almost $2M of tokens still remaining in the project’s pools on Optimism.


    The deployer of KOKO Token, identified as address 0x41BE, created a malicious contract called cBTC, modified the reward speed, paused the borrow function, and replaced the implementation contract using the function mentioned below with the malicious one. Another address, 0x5a2d, approved the cBTC contract to spend 7010 sonne WBTC. After the implementation contract was switched to the malicious cBTC contract, the attacker used the 0x804edaad method to transfer sonne WBTC to address 0x5C8d. Finally, the address 0x5C8d swapped 7010 sonne WBTC for 141 WBTC (~4M) in profit.


    kokomo finance

    Steps to reproduce

    • The attacker deployed a contract called cBTC, then changed its implementation to a malicious contract. The attacker then called the 0x804edaad method to transfer tokens to a different address and ultimately swapped those tokens for profit.

    Transaction Analysis

    The stolen funds are currently held in four addresses:

    Rugpull Indicators

    Here are some indicators to look for in a smart contract that may indicate it could be a rugpull:

    • Anonymous or unknown team: A team that is anonymous or unknown should be a red flag as they may not have any reputation to uphold and can disappear easily.
    • Unaudited code: A smart contract that has not been audited or reviewed by reputable third-party auditors increases the risk of vulnerabilities and potential exploits.
    • Centralized control: A smart contract that gives excessive control to the owner or a small group of individuals can lead to potential misuse of funds or a rugpull.
    • Lack of transparency: A rugpull often involves a lack of transparency or information on the project, such as unclear tokenomics or a lack of information on the team or project roadmap.
    • Unrealistic promises: Projects that make unrealistic promises of high returns or quick profits without a clear explanation of how these returns will be generated should be approached with caution.
    • Lack of liquidity: If a project has low liquidity or a small number of holders, it may be easier for a rugpull to occur as there may not be enough holders to prevent a large-scale dump.
    • Sudden changes or delays: A sudden change in the project roadmap or significant delays in project milestones without proper communication to investors can be a warning sign of a potential rugpull.


    Kokomo Finance’s rugpull serves as a warning to the importance of conducting thorough security audits and implementing proper security measures in decentralized finance. As the rug occurred through changes made by the project’s deployer address, it is important to ensure that all aspects of a protocol are audited and secured.

    Also read Hack Analysis on Euler Finance

    More Hack Analysis

    Platypus Finance - February 16, 2023

    On February 17, 2023, Platypus Finance was hacked, resulting in a loss of approximately $8.5 million worth of assets. In this hack analysis, we will delve into the details of the attack, the vulnerability that was exploited, and the impact it had on the platform and its users.

    Pickle Finance Hack Analysis & POC (Nov 21st, 2021)

    On 21sth November 2021, Pickle finance was hacked, where an attacker was able to drain $19M DAI from the pDai jar. The attack exploited multiple inconsistencies & flaws in the logic of the pickle jar contract.

    Euler Finance (March 14, 2023)

    The Euler Finance hack had a devastating impact on the platform and its users, with approximately $197 million worth of assets stolen, including ETH, WBTC, USDC, and DAI. This placed Euler Finance at number 6 on the leaderboard of the largest DeFi hacks. The platform's total value locked (TVL) dropped from $264 million to just $10 million.

    DEUS DAO - May 6, 2023

    The Deus DAO hack had significant financial consequences, with users collectively losing around $6.5 million across Arbitrum, BSC, and Ethereum chains. Furthermore, the hack caused the DEI stablecoin to depeg by more than 80%, destabilizing its value and potentially shaking investor confidence.

    DeFiGeek Community JAPAN - Hack Analysis (Apr 17, 2023)

    On Apr 17, 2023. The DeFiGeek Community fell victim to a security breach in which an attacker exploited a flash loan vulnerability, causing the loss of 10 ETH (valued at over $20,000) from their DeFiGeek Community Pool Dai (fDAI-102

    Harvest Finance Hack Analysis & POC

    Harvest finance got hacked for around $34M due to a flashloan attack which manipulated the price in the Curve pool to retrieve more USDT tokens than originally deposited USDT amount in fUSDT pool.

    Beanstalk Hack Analysis & POC (Apr 17, 2022)

    Beanstalk protocol got hacked for around $74M through exploiting the governance mechanism & stealing all the BEANS & Curve LP tokens stored in the Beanstalk protocol.

    Dexible - February 20, 2023

    The Dexible hack affected a total of 17 user accounts, with the majority of losses coming from a single address belonging to BlockTower Capital, a prominent investment firm.

    Dforce Network - February 13, 2023

    The attack on dForce network had significant consequences for the platform and its users. By exploiting a reentrancy vulnerability in the wstETH/ETH pool on Curve and the dForce wstETH/ETH Vault, the attacker was able to manipulate the virtual price of the pool, which in turn affected the oracle used by the dForce wstETH/ETH Vault

    1 2 3
    Designed & Developed by: 
    All rights reserved. Copyright 2023