Kannagi Finance - REKT

The L2 rekt-volution continues.

Kannagi Finance, a yield aggregator on zkSync pulled the rug on Saturday.

Before the incident the project had $2.1M TVL according to DeFiLlama (now just $0.17), but the scammer only got away with around $1.1M.

The project’s website and socials have since been deleted.

Kannagi had been audited twice, and endorsed (via a deleted giveaway tweet) by ecosystem-leader SyncSwap, as was EraLend which got rekt for $3.4M on Tuesday.

The current system of rubber-stamping protocols with incomplete audits and window dressing only serves to legitimise potential rugs and scams.

There must be a better framework.

We need internal consumer protection, if not Gary will be happy to do it for us.

Is that what you want, anon?

Credit: PeckShield

As always, this rug pull offers nothing much to report.

While the contract was unverified, the audit report includes the line:

The MainChef address can initiate a withdrawal on behalf of a user by specifying the user's address and an amount to withdraw.

Not much of a mystery then.

And the effect:

Scammer’s address (on zkSync and Ethereum): 0x95ec03b821f164ce55cbb26f23f591a9bd40d6c1

The rugged funds were bridged to Ethereum and where 600 ETH ($1.1M) was deposited into Tornado Cash.

Auditors SolidProof published a statement, clarifying that the vault contract did not fall under the scope of their audit, and passing the buck to SourceHat (previously Solidity Finance) who did audit the vault.

The SourceHat audit indeed pointed out that “some centralized aspects are present”, but is this common throwaway observation sufficient to absolve auditors of responsibility?

Combined with the statement “No external vulnerabilities identified”, and looking back in hindsight, that ‘external’ is doing a lot of heavy lifting.

Perhaps the responsibility is on users to take more notice of the wording of audit findings and their implications.

After all, any auditor handing over a report marked “WARNING: RUGGABLE” would soon find themselves lacking in clients.

But when audits are used as a lazy stamp of approval by projects looking to entice new users, degen gamblers and airdrop hunters…

…do we really expect anyone to read the fine print?

Especially when testing out the latest L2 du jour…

Will BASE be next?

REKT는 익명 작성자들에 의한 공공 플랫폼이며, REKT에 작성된 관점이나 내용에 대해서 그 어떤 책임도 지지 않습니다.

기부 (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

disclaimer:

REKT는 당사 웹 사이트의 익명의 작성자 또는 REKT에 의해 게시되거나 관련된 서비스에서 게시되는 콘텐츠에 대해 어떠한 책임도 지지 않습니다. 당사는 익명 작성자들의 행동 및 게시물에 대한 규칙을 제공하지만, 익명의 작성자가 웹 사이트 또는 서비스에 게시, 전송 혹은 공유한 내용을 통제하거나 책임지지 않으며, 귀하가 웹 사이트 또는 서비스에서 직면할 수 있는 불쾌함, 부적절함, 음란함, 불법 또는 기타 해로운 콘텐츠에 대해서도 책임을 지지 않습니다. REKT는 당사 웹 사이트 또는 서비스 사용자의 온라인 또는 오프라인 행위에 대한 책임을 지지 않습니다.