1. Home
  2. Smart Contract Exploit

Smart Contract Exploit

Radiant Capital halts lending after exploit

Approximately $58 million has been lost from a cybersecurity breach at the lending protocol, one expert said. 

Radiant Capital halted its lending markets after the cross-chain lending protocol suffered a more than $50 million cybersecurity breach on BNB Chain and Arbitrum, according to Radiant and two cybersecurity experts.

“Radiant Capital contracts were exploited on BSC & ARB chains with the ‘transferFrom’ function, which allowed to drain users’ funds, namely $USDC $WBNB $ETH and others,” Web3 cybersecurity firm De.Fi Antivirus said in an Oct. 16 post on the X platform.

De.Fi said the exploit drained approximately $58 million, mirroring estimates from another cybersecurity firm, Ancilia Inc., which pegged losses at around $50 million, according to another X post.

Read more

Chainlink Collaborates With Microsoft on CBDC Commissioned By Brazil’s Central Bank

KyberSwap DEX hacker sends an on-chain message: Be nice, or else

The exploiter behind the $46 million KyberSwap hack says they plan to outline a treaty for the potential return of funds on Nov. 30, but not if threats and hostilities from execs keep up.

The exploiter behind the $46 million crypto theft against KyberSwap has demanded its execs and tokenholders ease up on the hostilities, threatening to push out negotiations until everyone is “more civil.”

In an on-chain message addressed to KyberSwap executives, tokenholders and liquidity providers on Nov. 28, the exploiter said they plan to release a statement around a potential treaty with KyberSwap on Nov. 30 — but won’t do it if hostilities continue.

“I said I was willing to negotiate. In return, I have received (mostly) threats, deadlines, and general unfriendliness from the executive team,” they said.

“Under the assumption that I am treated with further hostility, we can reschedule for a later date, when we all feel more civil,” they warned.

The team behind KyberSwap — a cross-chain decentralized exchange — initially suggested a bounty deal where the hacker returns 90% of the funds across all exploits, allowing the hacker to keep the remaining 10%.

But they followed up with a threat to pursue legal action after the hacker didn’t comply straight away.

“We have reached out to law enforcement and cybersecurity on this case. We have your footprints to track you,” the KyberSwap team said in a Nov. 25 on-chain message, adding:

“So it's better for you if you take the first offer from our previous message before law enforcement and cybersecurity track you down.”

KyberSwap also told the hacker they would initiate a public bounty program to incentivize anyone providing information to support law enforcement that may lead to their arrest and the recovery of user funds.

The team behind KyberSwap has already managed to recover $4.67 million from the $46 million exploit on Nov. 26 from operators of front-running bots, which managed to extract around $5.7 million in crypto from KyberSwap pools on the Polygon and Avalanche networks.

The team hasn’t yet responded to the exploiter’s latest message on X (formerly Twitter) and is presumably waiting to see the new treaty proposed by the hacker.

Related: KyberSwap announces potential vulnerability, tells LPs to withdraw ASAP

A day after the Nov. 22 hack, decentralized finance pundit Doug Colkitt said the attacker used an “infinite money glitch” to carry out a “complex and carefully engineered smart contract exploit” across several networks implementing KyberSwap pools.

Funds were exploited from Avalanche, Polygon and Ethereum and layer-2 networks Arbitrum, Optimism and Base.

KyberSwap runs on Kyber Network, a blockchain-based liquidity hub that aggregates liquidity across different blockchains and enables the exchange of tokens without an intermediary.

Magazine: This is your brain on crypto: Substance abuse grows among crypto traders

Chainlink Collaborates With Microsoft on CBDC Commissioned By Brazil’s Central Bank

$4M ‘exit scam’ suspected as Kokomo Finance flies off radar, token plunges

Kokomo Finance's social media presence and websites are offline, while the price of the KOKO token fell more than 95% within a matter of minutes.

Optimism-based lending protocol Kokomo Finance has been suspected of a $4 million “exit scam” that has seen user funds plucked out from the platform via a smart contract loophole.

Blockchain security firm CertiK alerted its followers to the “exit scam” in a March 26 Twitter post, noting that the Kokomo Finance (KOKO) token has plummeted 95% in value in a matter of minutes.

CertiK also noted that Kokomo Finance removed all social media accounts immediately following the alleged rug pull too.

Kokomo Finance has either deactivated or deleted its Twitter account. Source: Twitter

CertiK said the deployer of KOKO attacked the smart contract code of a wrapped Bitcoin token, cBTC, by resetting the reward speed and pausing the borrow function.

After that, an address beginning with “0x5a2d..” approved the new cBTC smart contract to spend over 7000 Sonne Wrapped Bitcoin (So-WBTC).

The attacker then called another command to swap the So-WBTC to the 0x5a2d address, which produced a $4 million profit, according to the security firm.

Changes to the smart contract code of the KOKO began at about 9 am UTC on March 26. Source: Optimistic Etherscan

A CertiK spokesperson told Cointelegraph that it was the largest "incident" that they’ve detected on Optimism.

Kokomo Finance is an open-source and non-custodial lending protocol on Optimism, where investors could trade for wBTC, Ether (ETH), Tether (USDT), USD Coin (USDC) and DAI.

Kokomo Finance rose up the ranks quickly in recent days, with blockchain data platforms like CoinGecko and DefiLlama officially tracking it shortly after Kokomo Finance went live on Optimism on March 25.

The price of Kokomo Finance token, KOKO fell over 97% at about 4:10pm UTC time on March 26. Source: CoinGecko

Recent screenshots reveal that more than $2 million was locked into Kokomo Finance prior to it falling more than 97%.

Over 72% of the total value locked in the Kokomo Finance protocol came in the form of wrapped Bitcoin, according to data from DefiLlama.

Cointelegraph attempted to access all social media and blog websites listed on Kokomo Finance’s Linktree page, however, all of these links now lead to some form of an error page, suggesting the page has been removed.

Related: 7 DeFi protocol hacks in Feb see $21 million in funds stolen: DefiLlama

Cointelegraph came across Kokomo Finance’s smart contract audit, which was reviewed and shared by 0xGuard earlier in March.

While most aspects of the audit were passed, “typographical errors” were found and the owner of the KOKO token was found to have a one-time ability to 45% of the maximum supply to an arbitrary address.

Kokomo did not pass all aspects of its smart contract audit, which was reviewed by 0xGuard in March. Source: GitHub

Cointelegraph reached out to 0xGuard for comment but did not receive an immediate response.

Magazine: Should crypto projects ever negotiate with hackers? Probably

Chainlink Collaborates With Microsoft on CBDC Commissioned By Brazil’s Central Bank