Crypto's summer of scams 2023: fake yield aggregators
How to steal $2,000,000 in 90 days - The zkSync Era Kannagi Finance case study
A group of anons with NFTs as their PFP and Chinese characters as their discord handle create a “decentralized yield aggregator” on a beta version of an L2 that just launched onto mainnet 90 days ago. The platform offers vaults with 400% APY on USDT, 500% on their native token, 1200% on partner tokens, and 100% on ETH.
The vaults investment strategy? There isn’t one. It’s paying yield to depositors by minting native tokens, but the dev team says it’s only temporary….
“…don’t worry fren, this is just genesis, and next month we’re going to unveil our automated investment strategies and reward early token holders with a $5000 USDT bonus. You are early!” - anon devs
What are these investment strategies? We don’t know.
What does their git doc library say? Coming soon.
Do we even care? Not in the slightest.
Do we exercise caution? No way, this is a once-in-a-lifetime investment opportunity to create massive wealth or at least buy a green lambo.
…. Does the crypto Twitter brain trust even echo any words of reservation?
Nah, we all ape in. This is Kannagi Finance.
Kannagi Finance was a yield aggregator that launched on zkSync Era ~June 2023. Yield aggregators in DeFi land are platforms that collect user deposits, “pools them together”, and use the pooled capital to earn yield using protocol-specific investment strategies.
Yield aggregation isn’t new; some of the heavy hitters include Yearn & Beefy, w/ about $1B USD TVL. For those who are into DIY, tools like DeFiSaver can be used to create, execute and manage more bespoke strategies. Moreover, protocols like GMX have an entire network of dApps that leverage the GMX GLP token to facilitate yield-generating activities.
Unfortunately for the holders of $KANA, Kannagi’s native token, “yield aggregation” was more of a marketing tactic than an investment strategy. Users who deploy capital into a Kannagi vault receive earnings not in the Vault’s asset, but rather in the dApp’s native token, $KANA.
A degen user deposits $10,000 USDT to the USDT vault
Yield is earned by the minute in $KANA tokens
Fast forward 365 days, the degen user now has $10,000 in USDT and $50,000 in KANA
….except $KANA has a low flow, low liquidity, and is controlled by an anon dev team so price predictability 365 days from now is unknown.
What’s a trip to me is we can clearly see the price action of $KANA compromised in the downward direction as the vault emissions dump $KANA onto the open market under the premise of a “Genesis” / “Initial Farm Offering” event.
What I find to be particularly insane is as more $KANA tokens are dumped onto retail traders with downward price pressure, the TVL in the Kannagi vaults goes up!
4/1/23 to 6/1/23 - Dev soft launch ERC20 contract created
7/1/23 - “Genesis public launch” with yield-generating vaults denominated in $KANA
7/15/23 - Kannagi vaults aggregate value > $1.35M, surpassing fully diluted valuation (FDV) of $1.22M
Around 7/22/23 Kannagi dev team goes silent, stops tweeting, stops posting yet TVL continues to increase to $2.2M USD while FDV declines to sub $700K USD
Keep in mind the premier vault within Kannagi was the $KANA vault which at its peak had around ~$300,000 KANA/USD locked across 7,000 holders with 5,000 $KANA “miners” (individuals who deployed $KANA into the $KANA vault to earn more $KANA).
The tokenomics behind $KANA’s launch were mindbending:
100 million $KANA tokens were created at genesis, with 10 million allocated as the initial liquidity. The Genesis period consisted of a 35-day window where 300,000 tokens were minted every day.
This means in a one-month period the circulating supply doubles
10,000,000 + (35 * 300,000) = 20,500,000
In one year the circulating supply doubles again:
20,500,000 + (100,000*365) = 57,000,000
So how is it possible that $KANA’s price goes down, while the underlying vault TVL can go up? The answer is always the same: hubris, greed, and irresponsible lending.
$KANA token holders were buying more tokens as the token price dropped, then used the newly acquired tokens as deposits into the Kannagi vault to earn..you guessed it, more $KANA tokens.
In crypto economics, I call this the tokenomics ponzi flywheel:
Anon dev team creates an ERC20 token with zero economic value (KANA)
Allocates outsized portion of token to founders, devs, early insiders, and “marketing partners” prior to formal launch
A marketing campaign is created under the pretense of a “token genesis” or “initial farm offering” giving retail traders the opportunity to participate in a novel dApp on an up-and-coming L2 with promises of rapid price appreciation and an L2 airdrop
Unsustainable yields are offered using various “investment vehicles” to lure lazy retail traders who don’t read the fine print
TVL goes up and Kannagi appears on a variety of leaderboards:
Number 1 yield aggregator on ZkSync Era via Defi Llama
Official partner of Syncswap, the number 1 dex by TVL on ZkSync Era
Zksync affiliates pumping Kannagi as TVL skyrockets
The flywheel repeats until the dev team calls it quits by draining all $KANA liquidity, liquidating all vaults, and closing all social media accounts
….as the TVL + token price reaches $0 USD, representing a 99.999996% loss. RIP.
My best guess is that in the aggregate Kannagi had somewhere around $2.2m of deposits locked with ~ $300,000 denominated in $ETH and $300,000 denominated in $KANA.
Given the circulating market cap of the $KANA token at $700,000 USD, the anon devs netted somewhere between $1.0M and $2.5M USD. Not bad for 90 days. Below you can see the Kannagi rug pull in-flight, with approximately 600ETH sent to Tornado Cash, ouch.
Where were the experts?
I continue to postulate the idea that there are no experts in crypto. The entire “DeFi” category is only ~5 years old, layer 2s on Ethereum are just now coming into the fold, and emerging tech like Zksync literally did not exist 12 months ago.
What does exist are a variety of worthless security firms that will happily “audit” a platform smart contract with a rubber stamp seal approval, in exchange for $50,000 USD. This was, unfortunately, the plight of Kannagi Finance, obtaining two separate audits from worthless security firms “SolidProof” (ERC20 contract) and Solidity Finance (vault contract).
If you take a moment to read the audit report of both vendors, you’ll realize how truly worthless they are. SolidProof’s “vulnerability and risk level assessment” matrix outlines a framework for quantifying risk as depicted below:
The results? I kid you not, zero issues.. the only vulnerability warning noted was the lack of inline comments in the code.
Zero critical issues
Zero high issues
Zero medium issues
Zero low issues
…One FYI on inline comments:
How is it possible that a security firm can audit a smart contract and identify zero vulnerabilities only to have a rug pull 60 days later? By ignoring all of the sh*t that actually matters.
SolidProof did not audit or determine if the deployer contract has the ability to lock, burn or transfer user funds.
SolidProof did not audit or determine if the deployer has the ability to pause the contract
SolidProof did not audit or determine if the deployer can mint excess tokens beyond the max/total supply
SolidProof did not KYC the dev team
What did SolidProof do? Nothing except collect $50,000 in exchange for a rubber stamp approval. Keep in mind SolidProof has “audited” over 790 smart contracts since its inception. Do you trust them? I don’t.
Their defense is a lame one, indicating the SolidProof security team only audited the ERC20 contract and not the underlying vaults.
Despite having a personal opinion that SolidProof is inherently worthless and should be de-platformed from the crypto ecosystem, at least the team responded. Solidity Finance, worthless security firm number 2, responsible for auditing the Kannagi vaults has decided to completely ignore the rug pull and bury its head in the sand.
Why? Their audit of Kannagi Finance across 22 vulnerability categories produced an overall contract security rating of “PASS” with, I kid you not, the only finding being a code revision to improve gas costs associated with transactions:
Description: Although the SafeMath library is utilized, the contract is implemented with Solidity v0.8.x which has built-in overflow checks.
Recommendation: SafeMath could be safely removed to reduce contract size, deployment costs, and gas costs on all transactions that utilize it. - Solidity Finance Kannagi audit
Yet if we take a moment to read the audit report, we see the following points:
…address can initiate a deposit on behalf of a user by specifying the user's address and an amount to deposit.
… address can initiate a withdrawal on behalf of a user by specifying the user's address and an amount to withdraw.
The team can upgrade the contract at any time.
The MainChef contract was not included in the scope of this audit so our team is unable to provide an assessment with regard to its security.
In plain English: the vault contract can initiate deposits & withdrawals w/o owner consent, the contract can be upgraded (read - code can be changed at any time), the MainChef contract, which is the mechanism that facilitates the deposit and withdrawal functions are actually out of the scope of the audit.
Again, how is it possible that a security firm can audit a smart contract and identify zero vulnerabilities only to have a rug pull 60 days later? By ignoring all of the sh*t that actually matters. Shame on Solidity Finance.
There’s been an abundance of issues within the layer 2 ecosystem over the past few weeks, not just limited to Kannagi:
EraLend - the number one lending vault on ZkSync Era had its USDC vault hacked.
Base - the Coinbase KYC L2 built on optimism was victim to its first pump-and-dump meme coin - $BALD, with zero ability to withdraw.
Woldcoin - perhaps the biggest scam in L2 history, launched with a $690M circulating market cap.
Even OGs like CRV were recently subject to a zero-day security exploit that has ~$150M of CRV collateral at risk. I remain grounded in the following set of first principles that guide me across the DeFi ecosystem:
100% of utility tokens are worthless and will go to zero
100% of tokens with no revenue accrual to their holders are worthless and will go to zero
Real crypto wealth is reserved for angel and/or institutional investors who participate in private token investment opportunities via SAFT off-chain contracts
Retail traders who buy tokens on the open market are the bag holders
If you decide to play this game of crypto speculation, heed this quote from the 2000s classic “Devil take the hindmost - a history of financial speculation”:
“…most bubble companies preyed on the credulity and cynicism of those who bought their shares. Speculators did not buy bubble company shares as long time investments, they bought them with the intention of selling them onto a greater fool. In a very short time, however, they were to discover that there we no greater fools in the market than themselves”. - Devil Take the Hindmost
To knowledge and wisdom,
Article cover generated by DALL-E: “An oil painting of Chinese communist spies whiteboarding a crypto ponzi scam”: