Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 129Rug Pull

Kokomo Finance Exit Scam

Kokomo Finance, an Optimism Compound fork, rug-pulled $4M by pausing cBTC, pointing rewards at a malicious implementation, draining WBTC and deleting socials.

Date
Victim
Kokomo Finance users
Chain(s)
Optimism
Status
Funds Stolen

On March 27, 2023, the Optimism lending protocol Kokomo Finance — a Compound v2 fork — executed a $4 million rug pull. The team paused the protocol's cBTC market, modified the reward contract to point at a malicious implementation, drained user-supplied WBTC, and then deleted the website and all social channels.

What happened

Kokomo Finance presented as a legitimate Optimism lending market with the standard trust signals — a deployed Compound-fork product and active social presence. It had accumulated meaningful TVL, including user-supplied WBTC.

The rug exploited the team's retained privileged control over the protocol's contracts:

  1. Paused the cBTC market — preventing users from withdrawing while the rug executed.
  2. Modified the reward contract (cBTC's implementation) to a malicious version that the team controlled — using the upgrade authority they had retained over the protocol's contracts.
  3. The malicious implementation let the team transfer user-supplied WBTC out of the protocol to attacker-controlled addresses.
  4. Drained ~$4M in WBTC and other assets.
  5. Deleted the website, Twitter, and all community channels — the standard exit-scam finishing move.

The KOKO token collapsed ~95%; users who had supplied collateral to the paused markets could not withdraw and lost their deposits.

Aftermath

  • No recovery — the rug was structured so the team controlled the upgrade keys, the pause function, and the exit path.
  • Kokomo Finance joined the long list of audited-looking Compound-fork rug pulls on emerging L2s in 2022-2023.

Why it matters

Kokomo Finance is a representative entry in the "Compound-fork rug" sub-genre — distinct from Compound-fork bugs (Hundred Finance, Sonne Finance) because the loss was intentional, executed through retained privileged control rather than an unintended vulnerability.

The structural lessons for users:

  1. Upgradeable lending forks with retained admin keys are rug-capable by construction. If the team can pause markets and upgrade contract implementations, they can do exactly what Kokomo did. The on-chain question users should ask — but rarely do — is "who controls the upgrade and pause authority, and is it renounced, timelocked, or multi-sig-gated?"

  2. The "pause then drain" sequence is a rug signature. A legitimate emergency pause protects users; a pause immediately followed by an implementation upgrade and asset transfer is an exit. The pattern is detectable on-chain, and monitoring services increasingly flag it — but usually too late for the depositors already in the paused market.

  3. Emerging L2s in their growth phase attract fork-rugs. Optimism's 2022-2023 ecosystem growth, like BSC's 2021 and Arbitrum's 2022-2023, drew a wave of fast-deployed Compound forks — some buggy, some malicious, structurally indistinguishable to users at deposit time. Kokomo is one of many; the pattern recurs on every chain during its high-incentive growth window.

The recurring meta-lesson: "it's a Compound fork on a new chain" is not a safety signal — it's a risk signal, because the fork inherits Compound's footguns and the team's incentives, neither of which the chain's youth makes safer.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-kokomo-finance-rug-pull-march-2023
  2. [02]bitcoinist.comhttps://bitcoinist.com/kokomo-finance-pulls-exit-scam/
  3. [03]cryptopotato.comhttps://cryptopotato.com/optimism-defi-protocol-kokomo-finance-rug-pulls-users-for-4-million/

Related filings