meerkat.finance: A “Social Experiment”

On March 3rd, Meerkat Finance launched 
with a massive staking program.   Investors, who didn’t want to miss out 
on the seemingly unmissable returns,   quickly locked in 31 million dollars 
in capital. 14 hours after launch,   Meerkat announced on its Telegram that hackers 
had stolen all of the user funds when in reality,   they had just exit scammed. Subsequently, Meerkat 
deleted their socials and shut down their website.   This would go on to be called the largest rug 
pull in decentralized finance. But two days later,   a developer informed users that the money was safe 
and they would all be refunded. This is the story   of meerkat.finance, the 31 million dollar social 
experiment, testing the limits of human greed.   So how exactly did Meerkat manage 
to scam users out of so much money?   See, while it may seem like Meerkat 
was an obvious Ponzi scheme,   it was actually something called 
decentralized finance, or DeFi for short.   Well, you could argue that DeFi is a Ponzi scheme 
in itself, but theoretically, it's perfectly safe,   where yields over 1,000% APY are normal…

If 
you know where to find them. Let me explain.   Ethereum is a platform where anyone can create and 
use decentralized smart contracts, allowing for   a variety of uses, such as lending and borrowing 
money, all without a middleman. But in February,   Ethereum began suffering from its own success. 
Because the network can only process around 30   transactions per second, the network was getting 
congested, driving gas fees to unusable prices.   Because of this, more people began migrating over 
to the Binance smart chain, a clone of Ethereum,   but with 100 times cheaper fees. And with it, the 
decentralized applications had to move as well.   Yearn.finance is a popular app on Ethereum 
that allows users to use leverage while yield   farming to maximize returns. But there was 
no such platform on the Binance chain yet.   So, alpaca.finance forked Yearn and made it 
more suitable for the Binance smart chain.   Meerkat would later fork Alpaca, so 
it's important we look at Alpaca first.   Anyways, what is leveraged yield farming? Let’s 
say you have some money and want to invest it   to earn some passive income, a process known as 
yield farming.

You could take your money and put   it into a liquidity pool, and earn around 100% 
APY. Of course, there are some risks involved,   as you can lose money through impermanent 
loss. But let's say you are confident in   your LP holding a steady ratio and think that you 
will be profitable. Well instead of earning 100%   APY, you can make 300% APY by borrowing twice 
the amount of your investment through leverage.   Now you bear three times the risk but three 
times the reward. And on the other side,   lenders would lend you this leveraged capital, and 
you pay them interest.

Alpaca created the perfect   platform to do this, and it was all decentralized 
and secure. Alpaca launched on February 7th,   with what it called “Phase 1”. At this 
stage, it only implemented the lending aspect   and not borrowing. The devs wanted to ensure that 
when it launched the actual leverage, or “Phase 2”   of the project, the vaults would be stacked with 
enough capital to provide the yield farmers with.   So how exactly does Alpaca incentivize 
users during phase 1 to supply money?   Meet the ALPACA token, the native 
token of the Alpaca protocol.   Users can stake their ALPACA to receive xALPACA, 
which can be used to vote on changes to the Alpaca   protocol, where 1 xALPACA equals one vote. So the 
more ALPACA you have and the longer you hold it,   the more voting power you accrue. And when a yield 
farmer pays interest on a leveraged position,   a portion of that money goes into buying ALPACA 
and burning it, decreasing the total supply   of the token and therefore raising the price. 
You can think of the ALPACA token as the stock   of the company.

Just like ALPACA, if you own 
shares of Apple, you can vote on key issues.   And every year, Apple spends billions of dollars 
in stock buybacks, where it buys its own stock and   removes it from the market, which rewards 
investors by increasing the stock price.   So just like stocks, the value of ALPACA is 
dependent on the success of the protocol.   The more people who use Alpaca, the more 
valuable the token is. Public companies   distribute their stocks through a process called 
an Initial Public Offering, where they sell   their stock and raise money for their company. 
However, as DeFi is meant to be decentralized,   this process would be unfair, as it would give 
the tokens to a handful of wealthy people.   Instead, DeFi protocols choose to distribute 
their governance token through a fair launch.   In this case, Alpaca chose 
to give 10% to themselves,   4% for strategic capital, and the rest to the 
community.

Over a period of 35 months, anyone   who lends or borrows through Alpaca protocol 
will be rewarded with bonus ALPACA tokens.   So this token is how we reward users in 
stage 1 for providing money to the treasury.   Usually, lenders would stake their funds 
and receive interest from the borrowers   plus some bonus ALPACA. But because there are 
currently no borrowers, this rate of return   would be zero. Instead, Alpaca decided to create 
a bonus period, where borrowers can earn 7 times   the usual amount of ALPACA for staking their 
funds. In stage 1, you can deposit Binance USD,   a stablecoin worth 1 dollar, Binance Coin, the 
official currency for the Binance smart chain,   or ALPACA liquidity pool tokens and 
earn ALPACA as a reward for doing so.   You can then withdraw your funds later to claim 
your original investment back, plus any of the   ALPACA you earned.

It’s basically free money. 
And Alpaca grew to become a huge success. In its   first 12 hours, it had amassed 40 million dollars 
in deposits, with investors rushing to get in.   See, 140 tokens would be distributed per block, 
which is around 3 seconds. So investors wanted   to get in as quickly as possible to snag 
the highest rates of returns before more   people got in and diluted the rewards.

But what 
justifies the 40 million dollars in investments?   Even before any leveraged services were released, 
investors saw huge potential for the project,   which drove the price of 
ALPACA up through speculation.   This all created an insane rate of return, 
leading to the 40 million dollars in investments.   Over time, as the project gained publicity, 
the total value locked reached 250 million   and the rewards diluted to around 100% APY 
as we see today, something more reasonable.   But if you were early, you would've gotten upwards 
of 10,000% APY that lasted for a few weeks.   Wait but isn’t this just a Ponzi scheme? 
How is money being created out of thin air?   Again, this is the magic of DeFi, almost a 
Ponzi scheme.

Technically, the value comes   out of the Alpaca project itself, which provides 
utility value by existing on the blockchain. The   team behind Alpaca spent a lot of time creating a 
good application, which gives their token value,   which is then distributed as this “free money”. 
One month later, meerkat.finance comes along,   takes the source code, which is open source on the 
blockchain, changes the mascot from an alpaca to   a meerkat, changes the color scheme from green 
to red, and launches.

They don’t even deny it,   and they call themselves a fork of alpaca.finance 
with some “more innovative features”.   But it doesn’t even matter. Investors, who 
felt left behind from Alpaca, rushed in to   farm the Meerkat token. And just like that, 
31 million in user funds disappear overnight.   Apparently, these new “innovative features” 
included a function to exit scam all of the funds.   The vault, which is supposed to hold all of 
the Binance USD and Binance Coin, is emptied.   Additionally, the value of Meerkat plunges to 
zero, and all the investors are left with nothing,   as everything goes dark. How was Meerkat able 
to run away with the funds? Looking at the   blockchain, we can see that the devs called the 
upgradeTo function, which changed the code of the   Meerkat smart contract to a different proxy 
contract, allowing them to drain the funds   one minute later. However, this dangerous 
function is protected by the ifAdmin flag,   meaning only the admin can call the function. 
And when Meerkat was launched, the address   of the admin was changed from the developer 
wallet to a smart contract called a timelock.   Meerkat was supposed to be trusted because 
they had timelocked their contract at launch,   meaning they gave up their admin access.   But if we look closer, we can see that this 
supposed timelock never really happened.   The function admin returns the ADMIN_SLOT 
variable.

And this ADMIN_SLOT variable was   changed to the timelock by calling the changeAdmin 
function, which calls the setAdmin function.   But if we look at the setAdmin function, 
we can see the exploit. Instead of changing   the ADMIN_SLOT variable, it actually changes a 
different variable with a zero instead of an o.   So the admin was never changed and was 
still just the address of the dev wallet.   This is the zero worth 31 million dollars.   Shortly after, a mod creates a thread on 
the Binance forums for users to report   more information on the scam, although he 
admits that it will be nearly impossible for   Binance to catch the thieves, given the 
decentralized nature of the blockchain.   But unlike Ethereum, the Binance 
Smart Chain is relatively centralized.   It consists of 21 validators, many of which 
are owned by Binance themselves, with the   rest owned by trusted groups that have some 
connection with Binance.

Theoretically, Binance   could use its power to alter the blockchain and 
transfer funds from Meerkat back to the users.   But this would seriously degrade trust in the 
chain, even if Binance had good intentions.   Binance has turned a blind eye to previous 
rug pulls, and this time is no different.   There was even a controversial game called 
“Tanks of Tiananmen'' developed to trigger   Chinese authorities. But Binance has yet to be 
pressured by China to censor the blockchain.   So it looks like all the money is lost for good.   But out of the darkness, a hero emerges in 
a Telegram channel called Meerkatrefunds.   He calls himself Jamboo, one of the developers for 
Meerkat, and assures everyone that they will get   their money back. 30 minutes later, the dev wallet 
swaps 0.1 BNB for BUSD, just like he had stated,   proving that Jamboo really does have 
access to the Meerkat private key.   Over the next few weeks, he provides instructions 
for a new smart contract created to refund users.   Everyone gets their money back and 
it all ends happily ever after.   So what was the point of Meerkat Finance? 
The developers could have easily run away   with the money, yet they chose not to.

From the 
very beginning, Meerkat’s code was malicious,   but it’s a good thing their intent was never to 
cause harm. It looks like Meerkat was created   as a social experiment, and the developers 
probably did not expect this level of success.   Jamboo writes that Meerkat is a project 
that tests user greed and subjectivity.   Meerkat does not entice users 
and investors to participate.   And he's right. Meerkat merely copied an 
existing project and provided zero extra utility.   They never actually got around to showing 
their supposedly new innovative features,   as they never released phase 2. But 
none of this mattered to investors,   who will ape into any new project 
with the fear of missing out.   Meerkat perfectly highlights the stupidity of 
this aspect of DeFi. Next, Meerkat warns users   to be more careful with smart contracts.

Code 
is law, and one zero can change everything.   Usually, projects get audited by a trusted third 
party before launching, and Meerkat actually   warned users that they hadn't been audited yet. 
Any auditor would have spotted the faulty code.   But amidst the rush to make a quick buck, 
nobody realized it before it was too late.   DeFi is essential, but it has a lot of 
flaws. It is flourished by human greed..

test attribution text

Add Comment