Dev says $31 million Meerkat Finance exploit was a ‘test’; will return funds
There may be good news on the horizon for the victims of one of DeFi’s largest-ever exploits.
At 5:30 AM UTC today, a Meerkat Finance developer identifying themselves as “Jamboo” posted a short message in a newly-created Telegram channel, “Meerkatrefunds.” In it, Jamboo said that the exploit was a “trial” testing user's greed and “subjectivity,” and that the team was preparing to refund all victims.
Jamboo provided proof of their association with Meerkat by sending a small transaction from the Meerkat deployer, demonstrating that they have access to the exploited contract (or communicates with someone who does). The transaction was processed on the Binance Smart Chain network roughly twenty minutes after Jamboo’s Telegram post.
Meerkat was a yield vault project that forked Yearn.Finance’s code — one of many forks of Ethereum-native protocols that populate BSC. The attack on Meerkat initially took place on March 4, one day after Meerkat's launch, resulting in a loss of 73,000 BNB and $14 million of stablecoin BUSD — a total of $31 million in user funds.
Members of the community were quick to label the exploit as a “rugpull” — a colloquial term for when an insider or a member of a development team exploits a contract using specialized permissions — given that the Meerkat deployer contract was updated to allow the vaults to be drained shortly before the attack.
Some thought that the exploit would be a test of Binance Smart Chain’s claim to decentralization. BSC is run by a network of 21 validator nodes, many of which are thought to be associated with or run directly by Binance.
Likewise, the exploit put the attacker in a difficult position: Binance controls on-offramps to BSC, meaning any stolen funds were locked on the chain and impossible to realize as profits.
Attention now turns to the Meerkat developers and their motivations. Jamboo’s message was short on specifics, and contained only vague references to what instigated the team to steal $31 million from users. Jamboo wrote that the team “invited a third party (hacker) to attack the vulnerability through the verify proxy contract,” and that a full report on the exploit will be forthcoming.
According to Jamboo, the theft was a demonstration of the avarice that pervades DeFi.
“DeFi is essential, but it has a lot of flaws. It is flourished by human greed.”