Kannagi Finance - REKT

The L2 rekt-volution continues.

Kannagi Finance, a yield aggregator on zkSync pulled the rug on Saturday.

Before the incident the project had $2.1M TVL according to DeFiLlama (now just $0.17), but the scammer only got away with around $1.1M.

The project’s website and socials have since been deleted.

Kannagi had been audited twice, and endorsed (via a deleted giveaway tweet) by ecosystem-leader SyncSwap, as was EraLend which got rekt for $3.4M on Tuesday.

The current system of rubber-stamping protocols with incomplete audits and window dressing only serves to legitimise potential rugs and scams.

There must be a better framework.

We need internal consumer protection, if not Gary will be happy to do it for us.

Is that what you want, anon?

Credit: PeckShield

As always, this rug pull offers nothing much to report.

While the contract was unverified, the audit report includes the line:

The MainChef address can initiate a withdrawal on behalf of a user by specifying the user's address and an amount to withdraw.

Not much of a mystery then.

And the effect:

Scammer’s address (on zkSync and Ethereum): 0x95ec03b821f164ce55cbb26f23f591a9bd40d6c1

The rugged funds were bridged to Ethereum and where 600 ETH ($1.1M) was deposited into Tornado Cash.

Auditors SolidProof published a statement, clarifying that the vault contract did not fall under the scope of their audit, and passing the buck to SourceHat (previously Solidity Finance) who did audit the vault.

The SourceHat audit indeed pointed out that “some centralized aspects are present”, but is this common throwaway observation sufficient to absolve auditors of responsibility?

Combined with the statement “No external vulnerabilities identified”, and looking back in hindsight, that ‘external’ is doing a lot of heavy lifting.

Perhaps the responsibility is on users to take more notice of the wording of audit findings and their implications.

After all, any auditor handing over a report marked “WARNING: RUGGABLE” would soon find themselves lacking in clients.

But when audits are used as a lazy stamp of approval by projects looking to entice new users, degen gamblers and airdrop hunters…

…do we really expect anyone to read the fine print?

Especially when testing out the latest L2 du jour…

Will BASE be next?

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

disclaimer:

REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.