Kokomo Finance Exit Scam and Swerve Finance Attack Proof of Rampant Defi Exploits In 2023

The decentralized finance (DeFi) niche has tracked phenomenal progression since it emerged in earnest around 2017 but not without major bruises. During this half decade run, the DeFi space has evolved rapidly as reflected in its total value locked (TVL) figure which topped $180.38 billion in December 2021 according to DeFi Llama data. The brisk growth of this crypto subsector especially in the last few years has been chalked up to several influences including an increased demand of crypto assets and the incentivized nature of offerings.

DeFi growth chart. Source: DeFi Llama

On the flip side, this accelerated growth and accompanying liquidity has concomitantly invited unscrupulous actors looking to exploit the vulnerabilities present in space.

Trend and nature of crypto & DeFi exploits

In the past three years, there has been an accelerated occurrence of high-profile crypto theft incidents. The majority of these have involved techniques like crypto scams, rug pulls, flash loans, and DeFi-related exploits.

DeFi hacks history

For rug pulls, the perpetrator(s) usually a developer (or team) pumps the price of the project's token, then abruptly withdraw or remove the liquidity before abandoning the project. Flash loans attacks, on the other hand, target flaws in smart contract-based lending platforms and are the most frequent. These take advantage of the uncollateralized nature of flash loans –no upfront collateral is needed but the borrower must make repayment within the same chain transaction. Exploiters borrow huge sums in crypto assets from a DeFi protocol, then manipulate their prices on one exchange before quickly exiting their position on another.

Pie representation of types of hacks in DeFi history

Other DeFi-related exploits include smart contract bugs, oracle attacks, and governance attacks. In the case of governance attacks, hackers seek to control enough voting rights so as to execute proposals that benefit their interests.

Crypto and DeFi security breaches in the past

Blockchain analytics platform Crystal detailed in its recently published report on security breaches and fraudulent activities involving crypto, that there have been more than 230 DeFi hacks since 2011. The $4.18 billion in crypto assets lost as a result of the incidents has contributed to an overwhelming $16.7 billion in cryptocurrencies that have been stolen in the same period. Markedly, the exploit on Ronin Network which saw the attacker drain over $650 million from the Axie Infinity's bridge last March remains the largest.

Even more alarming, the annual losses attributed to crypto theft have been increasing since the first instance of an exchange hack involving Mt Gox in June 2011. The top 10 DeFi attacks (based on stolen funds) across 2022 totaled more than $2.6 billion. DeFiLlama's dashboard shows DeFi protocols lost more than $3 billion in 2022, making it the worst year in the statistic. Though the frequency and severity of occurrences appeared to have slowed down towards the end of 2022, it has reversed the trend in the beginning of the year.

Thus far in 2023, there have been 19 incidents of crypto (including DeFi) breaches resulting in more than $372 million worth of stolen assets. The funds lost each month has consistently increased since January, shooting from 14.6 million in January to $142,4 million in February, according to Rekt Database.

Lost and recovered funds in the past year. Source: Rekt Database

This figure has already more than doubled in March even with few days to go. There is however one hardly positive. The loss attributable to crypto scams and exploits thus far in Q1 is on track for a modest decrease from the same period last year. Approx. $1.2 billion in crypto assets was lost to exploiters in Q1 2022.

Major exploits so far and their eventual outcomes

Notable DeFi hacks, so far, include drain of $120 million from decentralized borrowing protocol BonqDAO in February and Platypus Finance's flash loan attack which saw the protocol lose $8.5 million in user funds.

Developers of Kokomo Finance pull an exit scam

Blockchain analytics firm CertiK Alert shared on Sunday a message of a suspected exit scam on Optimism-based lending protocol Kokomo Finance. The alerts tool observed a slump in the price of KOKO token and deactivation of the project's social accounts hours later.

“The deployer of KOKO Token, address 0x41BE, deployed attack contract cBTC. Then set the reward speed, paused the borrow and set the implementation contract into a malicious one. Address 0x5a2d… approved the cBTC contract to spend the 7010 sonne WBTC,” CertiK confirmed in a subsequent post. “Since the implementation contract has been upgraded to the malicious cBTC contract, the attacker called 0x804edaad method to transfer sonne WBTC to address 0x5C8d. Finally, the address 0x5C8d.. swapped 7010 some WBTC to 141 WBTC (~4M) for profit.”

Kokomo Finance was a relatively new project having only gone live on Mar 25.

Kokomo Finance on-chain assessment report

A security assessment conducted on the protocol by smart contract auditing company 0xGuard earlier in March showed a ‘pass' on most aspects except ‘Code With No Effects' and ‘typographical errors.' The price of the KOKO token has since crashed to near zero following the drain.

Exploiter attempts ‘profitable white-hat strategy' on defunct Swerve Finance

In another incident this month, users on Twitter observed suspicious activity involving Swerve Finance, a now defunct Ethereum-based fork of decentralized exchange Curve. The governance attack on the defunct Curve Finance clone is now in the second week as the attacker sought to reach the required quorum.

The attacker created a vote in a bid to claim the delegator contract with $1.3 million in stables from the DAI-USDC-USDT pool. In a lengthy thread, Wintermute head of research Igor Igamberdiev theorized that there was enough evidence to track the attacker. Igamberdiev doxed the identity of the attacker who an owner of ‘silvavault’ person behind attack in subsequent posts.

Igamberdiev provided a trail of on-chain evidence, including transactions routed via the sanctioned mixer Tornado Cash, that linked to a specific individual. The accused, whose Twitter account was doxed as joaorcsilva, responded to the allegations, justifying that his acts weren’t driven by ulterior motives.

Euler Finance hacker surrenders a significant portion of stolen funds

In a separate incident, an attacker stole around $197 million in crypto assets on Mar 13 in what has since turned out to be a dramatic affair. Though DeFi protocol's team managed to address the issue at the time, they couldn’t recover the stolen assets. Efforts to contact and reach a compromise failed, prompting a $1 million bounty for any information leading to his arrest.

Euler Finance hack transactions. Source: Twitter/BlockSec

The hacker, in a twist of events last week, returned 3,000 ETH tokens to the Ethereum-based lending protocol on Mar 18 in three transactions remaining with a significant sum nonetheless.

Over the weekend, the attacker sent around 51,000 Ether tokens to deployer address. Still on the same day, March 25, the attacker carried out a second transaction, this time sending 7737 ETH to the deployer. Thus far, the address of the hacker has returned more than half of the stolen sum. The latest developments pushed the price from just over $2.50 to $4.30 before sliding back to $3.80 where it was last spotted.

Euler price. Source: TradingView

Markedly, the exploiters of the Euler Finance, and Ronin Network too, used the coin mixer.

US, international authorities bear down on coin mixers for their role in money laundering

Earlier this month, the European Union Agency for Law Enforcement Cooperation announced it seized $46 million from ChipMixer on money laundering allegations. The Europol agency, alongside the FBI and Germany authorities alleged that the crypto mixer facilitated laundering of 152,000 BTC in the last five years, translating to ~ $3 billion. US law enforcement officials reported that they got hold of 1,909.4 BTC and also ordered the shutdown of the platform’s supporting servers. The enforcement action comes on the back of similar restrictive orders laid on Tornado Cash.

The latter coin mixer has been also come under fire this year from US authorities for its role in facilitating crime by obscuring transactions and making them impossible to trace in the case of illicit activities.  The US Department of Justice earlier this year announced sanctions against the privacy tool, drawing critical remarks from some quarters in the industry. This is not the first case of crypto hacks that has seen involvement of authorities.

FBI pins responsibility for the $100M Harmony Bridge hack on Lazarus Group

Last June, during a year with record amounts stolen in bridge attacks, Harmony bridge lost about $100 million in Ether. At the time, an official announcement by Harmony, the layer one PoS blockchain connected by the bridge to Ethereum, said it was working with authorities to establish the cause of the attack and recoup the funds. The FBI confirmed that the notorious North Korean state-sponsored hacker organizations Lazarus Group and APT38 were responsible for the attack. The claims marked the first time that the US government has officially accusing the group of the Harmony attack. Blockchain experts who conducted on-chain forensic analysis attributed the hack to the same actors.

The Lazarus Group has also been linked with, among other crimes, the hack of the Ronin bridge last year, at a time when the government had cautioned that crypto companies would become targets of the hackers. The FBI also said that on January 13, the North Korean hackers used RAILGUN, a privacy protocol, to obscure laundering $60 million of Ether, which was sent to crypto exchanges, then converted to Bitcoin. However, through transaction tracking and analysis, a portion of these funds was identified, frozen, and recovered by these virtual asset service providers (VASPs). The remaining funds, that were yet to be recovered, has been transferred to 11 distinct Ethereum addresses, according to the FBI.

Wormhole bridge hack update

Hacker shuffles $155 million in stolen funds, and levers up

A wallet connected to one of the largest breaches in the crypto industry in 2022 came alive this year, transferring over $155 million of stolen funds. The transaction, a first time in several months, aimed to lever long their ETH position.  In January, the crypto community observed on-chain information showing a sequence of activities that the actor who hacked more than $321 million worth of Ether (120,000 wETH) from the Wormhole Portal Token Bridge has been up to.  The hacker's sequence of exchanges began with their address consolidating Ether before initiating an exchange of 95,630 tokens for 96,677 of Lido's staked Ether (stETH) through the decentralized exchange aggregator OpenOcean.

Subsequently, the actor wrapped 86,473 stETH into wstETH, Lido's liquid token issued to Ether stakers. Of his newly acquired wrapped tokens, he collateralized 25,000 wsETH to borrow 13 million DAI. The hacker then leveraged the DAI to gain 8,000 stETH via Ethereum-based DEX Kyber Networks, and conducted several other similar trades via DeFi protocols such as 1Inch as he continued leveraging up. The illegal actor received a further $1.5 million worth of DAI, which was also exchanged for 923 stETH.

$61 million moved in search of arbitrage on Ether-pegged assets

The ill-gotten crypto from one of the largest bridge hacks in the crypto industry last year was also on move last month. PeckShield observed that the hacker's associated wallet also saw some activity in February, transferring crypto assets totaling $46 million.  The hacking entity's foremost attack saw it make away with more than $320 million worth of Wrapped ETH (wETH) in February 2022. The actors shuffled 95,630 ETH worth $155 million on Feb 12, sending them to the decentralized exchange OpenOcean DEX, then converting them into ETH-pegged assets – Lido's wstETH and stETH.

The blockchain security firm also noted that the hacker, who has since ignored a $10 million bug bounty offer, appears to be seeking yield or arbitrage opportunities with the stolen assets as they were exchanged for 16.6 million DAI, a MakerDAO stablecoin. The exploiter deployed a further 8.8k wstETH ($15 million) to MakerDAO. Wormhole also reiterated its offer to the exploiter to return the funds and receive a $10 million bounty.