Kannagi Finance zkSync Rug
Kannagi Finance, a zkSync Era yield farm, rug-pulled $2.1M after its closed-source upgradeable staking contract was swapped to a malicious implementation.
- Date
- Victim
- Kannagi Finance users
- Chain(s)
- Status
- Funds Stolen
On July 4, 2023, the zkSync Era yield farm Kannagi Finance rug-pulled approximately $2.1 million. The protocol's closed-source, upgradeable staking contract was upgraded to a malicious implementation that drained all user deposits; the team then deleted its website and social channels.
What happened
Kannagi's staking contracts were not verified/open-source and were upgradeable by the team. After accumulating ~$2.1M in deposits, the operators pushed a malicious upgrade that swept the pooled funds to attacker-controlled addresses, then vanished — the textbook exit-scam finishing sequence.
Aftermath
- No recovery; operators unidentified.
- One of several 2023 zkSync-ecosystem rugs during the chain's incentive-driven growth phase.
Why it matters
Kannagi is a clean closed-source + upgradeable = rug-capable case. Two red flags, both checkable before depositing, both ignored during a yield-chase: unverified contract source (you cannot know what the code does) and team-controlled upgradeability (even verified code can become arbitrary code). The catalogue's recurring user-side lesson — reinforced by Kokomo, Swaprum, Arbix — is that on a new chain in its high-APY growth window, the base rate of "this is a rug" is high, and the two cheapest filters (verified source, renounced/timelocked upgrade authority) screen out most of them. zkSync Era in 2023, like BSC in 2021 and Base in 2024, ran exactly this pattern.
Sources & on-chain evidence
- [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-kannagi-finance-rug-pull-july-2023
- [02]crypto.newshttps://crypto.news/zksync-eras-kannagi-finance-rug-pulls-and-steal-2-13m/
- [03]rekt.newshttps://rekt.news/kannagi-finance-rekt