KawaFarm Exploitation: Update and Recovery Plan

Kawakami
5 min readAug 21, 2021

--

Dear Kawa community,

As many of you know, KawaFarm was exploited on 19th August 2021.

This exploit was perpetrated by a rogue developer who went by the handle @crypt0x0. This person was hired in early August. As well as a review of their previous work, we made our decision to hire them based on positive references from the teams of two other cryptocurrency projects.

This developer had been helpful in the upgrade of KawaFarm 2.0 and we started to trust their work. Last week, users of KawaFarm 2.0 reported a group of bugs which needed to be fixed. At this time our lead developer was not available and we decided to ask the new developer to implement the fix, which they did.

Unknown to us, a couple of days after this they edited the Farm code again and changed the token withdrawal addresses for the largest pools (KAWA, SHIB and KISHU) to their own, and then drained the majority of tokens from our staking pools. On receiving these tokens, they immediately sold them all on Uniswap causing a price plunge of over 85% and then laundered the ETH they received through Tornado Cash.

The amount of tokens stolen from each pool and the amount of ETH the attacker received from the sale is as follows:

KAWA 340B = 41.90 ETH = $130,109

SHIB 6.386B = 16.65 ETH = $51,675

KISHU 13.12T = 3.28 ETH = $10,525

The attacker sent a total of 61.7 ETH through Tornado Cash, equating to a theft of US$196,515.

The Situation

The attacker failed to change the KawaFarm ownership over to themself so our lead developer has retained control of it. They have withdrawn all unallocated xKAWA to a team-controlled address. As a result, xKAWA has not been affected by this exploit.

Although you may still see a KAWA balance on your farm dashboard, please do not attempt to unstake as there are actually no tokens there and you will pay a gas fee for nothing. However, as xKAWA is not affected, you will soon be able to harvest whatever xKAWA balance you had accumulated.

The current KawaFarm 2.0 will be abandoned and redeployed once we can be sure of its safety.

KawaFarm 1.0 has not been involved in this exploit. Therefore, those who had staked KAWA on 1.0 and not yet changed over to 2.0 are able to withdraw their KAWA without issue.

It is still possible to trade KAWA on Uniswap, because aside from the attacker mass-selling the stolen tokens on the market, this exploit has had nothing to do with our liquidity pool. As the original LP tokens were burned, we cannot stop KAWA trading on Uniswap (and indeed people have continued to trade it despite the team advising not to).

The Attacker

The criminal who undertook this exploit should not feel they have gotten away with it safely. At Kawakami, we have always been blessed with a great community and our whales are no exception. Fortunately for us, one of our whales works in cyber security and has a close contact in Forensics at CipherTrace. This whale is going to use whatever resources necessary to identify the attacker, doxx them, and report them to local authorities. He has vowed not to stop until we get the funds back, in whatever shape or form that may be.

We have also started a dialogue with the cryptocurrency project teams who gave the attacker a positive reference. We will be asking for an explanation about what has happened and will see if there is information they might be able to provide to aid in identifying them.

The Recovery

Giving up on Kawakami has never been an option. To that end, the team and whales met urgently yesterday to discuss our plans for recovery.

After considering many options, the decision was made to launch a new token, Kawakami (KAWA), and airdrop it to all of our community. This relaunch will occur next week.

You will note that we have dropped the ‘Inu’ from our name. This subtle rebrand signifies a new phase in our growth as we endeavour to become less “dog” and more “us”.

The new token will have the same supply as the original KAWA and will be distributed 1:1 based on a snapshot taken prior to the hack. This means that everyone who held KAWA in their wallets or had staked it in the KawaFarm (both 1.0 and 2.0) will receive the new token.

Although we cannot reimburse the SHIB and KISHU which was stolen, we instead plan to airdrop the new KAWA to those people. They will receive KAWA according to the size of their lost SHIB/KISHU. For example, if a user had $1000 of KISHU stolen, we will airdrop $1000 of KAWA. There will be some users who staked KAWA as well as SHIB or KISHU. These users will receive more than one airdrop.

The old KAWA will no longer be supported or used in any of our current or future products.

Please note that KAWA purchased on Uniswap following the exploit will not be eligible for an airdrop of the new KAWA. Only KAWA owned pre-exploit will be. Allowing this to happen would cause a situation where there are whales who have been created by taking advantage of an unfair situation, and we have witnessed this have negative consequences for other projects who have been exploited.

However, with the price staying relatively stable, these individuals will be able to sell their old KAWA with minimal or no loss and purchase the new token.

Once the relaunch occurs, we will continue on with our existing plans for the KawaFarm and the xKAWA tokenomics upgrade as previously outlined.

The team have taken a number of hard-earned lessons away from this event.

Firstly, we have vowed to never use an anonymous developer again, regardless of their references or portfolio. This has also highlighted to the team the negatives of anonymity and as a result there are some team members — specifically those interacting with source code — who plan to doxx themselves.

Secondly, we will arrange an audit of KawaFarm 2.0 and the upgraded xKAWA as soon as possible after deployment. Even though an audit would likely have not made a difference in this attack, we want to ensure our community that we are committed to building reliable products and keeping all funds safe.

Finally, this event has confirmed for the team that we truly do have one of the best memecoin communities out there. The vast majority of people in our Telegram group have shown nothing but support during this difficult time and we appreciate all of you.

Despite the setback, this is not the end for Kawakami. The team remains as determined as ever — probably even more so now — to make Kawakami one of the strongest memecoins in existence. We are incredibly excited about our future and we cannot thank you enough for all of your support!

--

--

Kawakami

The decentralized ecosystem for meme tokens fueled by the KAWA token on the Ethereum network. Join our community: https://discord.gg/kawakami