The L2 rekt-volution continues.
Kannagi Finance, a yield aggregator on zkSync pulled the rug on Saturday.
Before the incident the project had $2.1M TVL according to DeFiLlama (now just $0.17), but the scammer only got away with around $1.1M.
The current system of rubber-stamping protocols with incomplete audits and window dressing only serves to legitimise potential rugs and scams.
There must be a better framework.
We need internal consumer protection, if not Gary will be happy to do it for us.
Is that what you want, anon?
As always, this rug pull offers nothing much to report.
While the contract was unverified, the audit report includes the line:
The MainChef address can initiate a withdrawal on behalf of a user by specifying the user's address and an amount to withdraw.
Not much of a mystery then.
And the effect:
The rugged funds were bridged to Ethereum and where 600 ETH ($1.1M) was deposited into Tornado Cash.
Auditors SolidProof published a statement, clarifying that the vault contract did not fall under the scope of their audit, and passing the buck to SourceHat (previously Solidity Finance) who did audit the vault.
The SourceHat audit indeed pointed out that “some centralized aspects are present”, but is this common throwaway observation sufficient to absolve auditors of responsibility?
Combined with the statement “No external vulnerabilities identified”, and looking back in hindsight, that ‘external’ is doing a lot of heavy lifting.
Perhaps the responsibility is on users to take more notice of the wording of audit findings and their implications.
After all, any auditor handing over a report marked “WARNING: RUGGABLE” would soon find themselves lacking in clients.
But when audits are used as a lazy stamp of approval by projects looking to entice new users, degen gamblers and airdrop hunters…
…do we really expect anyone to read the fine print?
Especially when testing out the latest L2 du jour…
Will BASE be next?
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
One more added to the list. EraLend lost $3.4M to the rampant read-only reentrancy bug plaguing protocols across the cryptosphere. Comments are not effective reentrancy protection.
$1.8M disappeared in a puff of smoke as Merlin pulled the classic DeFi magic trick. The zksync-native DEX had just completed its audit with Certik. How can such an easily ruggable protocol be green-lit? Or are users also to blame?
Coinbase’s compliant and grown-up L2 is already a shitshow. BALD pulled the rug for $23M, and the deployer has some interesting connections... YOLO-mania is in full force while DeFi burns.