Dev says $31 million Meerkat Finance exploit was a ‘test’; will return funds

Published at: March 6, 2021

There may be good news on the horizon for the victims of one of DeFi’s largest-ever exploits. 

At 5:30 AM UTC today, a Meerkat Finance developer identifying themselves as “Jamboo” posted a short message in a newly-created Telegram channel, “Meerkatrefunds.” In it, Jamboo said that the exploit was a “trial” testing user's greed and “subjectivity,” and that the team was preparing to refund all victims.

Jamboo provided proof of their association with Meerkat by sending a small transaction from the Meerkat deployer, demonstrating that they have access to the exploited contract (or communicates with someone who does). The transaction was processed on the Binance Smart Chain network roughly twenty minutes after Jamboo’s Telegram post.

Meerkat was a yield vault project that forked Yearn.Finance’s code — one of many forks of Ethereum-native protocols that populate BSC. The attack on Meerkat initially took place on March 4, one day after Meerkat's launch, resulting in a loss of 73,000 BNB and $14 million of stablecoin BUSD — a total of $31 million in user funds.

Members of the community were quick to label the exploit as a “rugpull” — a colloquial term for when an insider or a member of a development team exploits a contract using specialized permissions — given that the Meerkat deployer contract was updated to allow the vaults to be drained shortly before the attack.

Some thought that the exploit would be a test of Binance Smart Chain’s claim to decentralization. BSC is run by a network of 21 validator nodes, many of which are thought to be associated with or run directly by Binance. 

Likewise, the exploit put the attacker in a difficult position: Binance controls on-offramps to BSC, meaning any stolen funds were locked on the chain and impossible to realize as profits. 

Attention now turns to the Meerkat developers and their motivations. Jamboo’s message was short on specifics, and contained only vague references to what instigated the team to steal $31 million from users. Jamboo wrote that the team “invited a third party (hacker) to attack the vulnerability through the verify proxy contract,” and that a full report on the exploit will be forthcoming.

According to Jamboo, the theft was a demonstration of the avarice that pervades DeFi.

“DeFi is essential, but it has a lot of flaws. It is flourished by human greed.”
Tags
Related Posts
Immunefi partners with Binance Smart Chain on bug bounties to secure BSC projects
Immunefi, a security service outfit that specialized in decentralized finance (DeFi) projects, has inked a collaboration with the Binance Smart Chain. According to a release issued on Friday, Immunefi will work in collaboration with BSC to improve the security of projects on the Binance chain. As part of the partnership, ethical hackers who take part in a campaign to discover vulnerabilities in BSC-based projects will earn rewards. As a security outfit, Immunefi has reportedly paid more than $3 million in bug bounties to ethical hackers. Major BSC protocols such as PancakeSwap, DODO, and Zapper among others are already deploying the …
Blockchain / July 9, 2021
Binance recovers the majority of funds stolen from Curve Finance
Crypto exchange Binance has recovered a big part of the funds from the recent hack that targeted the decentralized finance (DeFi) protocol Curve Finance. In a tweet, Binance CEO Changpeng Zhao announced that the exchange has frozen and recovered $450,000 of the stolen assets, which is more than 80 percent of the stolen funds. According to Zhao, the hacker tried to send the funds to the exchange in various ways but was detected by Binance. The exchange is currently working to return the funds to their rightful owners. The Curve Finance team detected the hack on Tuesday and alerted their …
Blockchain / Aug. 12, 2022
Binance identifies KyberSwap hack suspects, involves law enforcement
Helping investigate a $265,000 hack on decentralized crypto exchange KyberSwap, crypto exchange Binance narrowed down two suspects that seem responsible for the attack. On Sept. 1, Kyber Network succumbed to a frontend exploit, allowing the attacker to make away with $265,000 worth of user funds from KyberSwap. While investigations were underway, KyberSwap offered a 10% bounty — of roughly $40,000 — to the hacker as means to remediate the situation. Parallelly, based on an independent investigation, Binance’s security team identified two suspects that may be responsible for orchestrating the virtual heist. Binance CEO Changpeng ‘CZ’ Zhao confirmed that the intel …
Blockchain / Sept. 3, 2022
'Everything is fine' — Gala Games calls for calm after fears of multi-billion dollar hack
Blockchain gaming company Gala Games urged its community for calm after misplaced fears of a multi-billion dollar rug pull or hack caused the GALA token to temporarily crash 25.6%. The initial panic, which Gala Games later implied was unfounded, came after a single wallet address appeared to mint over $2 billion GALA tokens out of thin air — which was flagged by blockchain security firm PeckShield on Nov. 3. Fears that the unusual activity was a sign of an exploit or rug pull caused the GALA token price to drop a dramatic 25.6% from $0.0394 to $0.0293 over a 130-minute …
Blockchain / Nov. 4, 2022
Binance and Huobi freeze $1.4M in crypto linked to North Korean hackers
Cryptocurrency exchanges Binance and Huobi have again frozen accounts linked to the $100 million Harmony Horizon bridge attack on Jun. 24, 2022. Around $1.4 million worth of crypto frozen by the trading platforms came from accounts linked to the notorious Lazarus Group operating out of North Korea. The investigation was carried out by blockchain analytics firm Elliptic, according to a report shared by the firm on Feb. 14. However, the firm didn’t state what coins or tokens were frozen. Exchanges @binance and @HuobiGlobal today froze accounts containing $1.4 million stolen by North Korea’s Lazarus Group. This was made possible thanks …
Blockchain / Feb. 15, 2023