On March 3rd, Meerkat Finance launched
with a massive staking program. Investors, who didn’t want to miss out
on the seemingly unmissable returns, quickly locked in 31 million dollars
in capital. 14 hours after launch, Meerkat announced on its Telegram that hackers
had stolen all of the user funds when in reality, they had just exit scammed. Subsequently, Meerkat
deleted their socials and shut down their website. This would go on to be called the largest rug
pull in decentralized finance. But two days later, a developer informed users that the money was safe
and they would all be refunded. This is the story of meerkat.finance, the 31 million dollar social
experiment, testing the limits of human greed. So how exactly did Meerkat manage
to scam users out of so much money? See, while it may seem like Meerkat
was an obvious Ponzi scheme, it was actually something called
decentralized finance, or DeFi for short. Well, you could argue that DeFi is a Ponzi scheme
in itself, but theoretically, it's perfectly safe, where yields over 1,000% APY are normal…
you know where to find them. Let me explain. Ethereum is a platform where anyone can create and
use decentralized smart contracts, allowing for a variety of uses, such as lending and borrowing
money, all without a middleman. But in February, Ethereum began suffering from its own success.
Because the network can only process around 30 transactions per second, the network was getting
congested, driving gas fees to unusable prices. Because of this, more people began migrating over
to the Binance smart chain, a clone of Ethereum, but with 100 times cheaper fees. And with it, the
decentralized applications had to move as well. Yearn.finance is a popular app on Ethereum
that allows users to use leverage while yield farming to maximize returns. But there was
no such platform on the Binance chain yet. So, alpaca.finance forked Yearn and made it
more suitable for the Binance smart chain. Meerkat would later fork Alpaca, so
it's important we look at Alpaca first. Anyways, what is leveraged yield farming? Let’s
say you have some money and want to invest it to earn some passive income, a process known as
You could take your money and put it into a liquidity pool, and earn around 100%
APY. Of course, there are some risks involved, as you can lose money through impermanent
loss. But let's say you are confident in your LP holding a steady ratio and think that you
will be profitable. Well instead of earning 100% APY, you can make 300% APY by borrowing twice
the amount of your investment through leverage. Now you bear three times the risk but three
times the reward. And on the other side, lenders would lend you this leveraged capital, and
you pay them interest.
Alpaca created the perfect platform to do this, and it was all decentralized
and secure. Alpaca launched on February 7th, with what it called “Phase 1”. At this
stage, it only implemented the lending aspect and not borrowing. The devs wanted to ensure that
when it launched the actual leverage, or “Phase 2” of the project, the vaults would be stacked with
enough capital to provide the yield farmers with. So how exactly does Alpaca incentivize
users during phase 1 to supply money? Meet the ALPACA token, the native
token of the Alpaca protocol. Users can stake their ALPACA to receive xALPACA,
which can be used to vote on changes to the Alpaca protocol, where 1 xALPACA equals one vote. So the
more ALPACA you have and the longer you hold it, the more voting power you accrue. And when a yield
farmer pays interest on a leveraged position, a portion of that money goes into buying ALPACA
and burning it, decreasing the total supply of the token and therefore raising the price.
You can think of the ALPACA token as the stock of the company.
Just like ALPACA, if you own
shares of Apple, you can vote on key issues. And every year, Apple spends billions of dollars
in stock buybacks, where it buys its own stock and removes it from the market, which rewards
investors by increasing the stock price. So just like stocks, the value of ALPACA is
dependent on the success of the protocol. The more people who use Alpaca, the more
valuable the token is. Public companies distribute their stocks through a process called
an Initial Public Offering, where they sell their stock and raise money for their company.
However, as DeFi is meant to be decentralized, this process would be unfair, as it would give
the tokens to a handful of wealthy people. Instead, DeFi protocols choose to distribute
their governance token through a fair launch. In this case, Alpaca chose
to give 10% to themselves, 4% for strategic capital, and the rest to the
Over a period of 35 months, anyone who lends or borrows through Alpaca protocol
will be rewarded with bonus ALPACA tokens. So this token is how we reward users in
stage 1 for providing money to the treasury. Usually, lenders would stake their funds
and receive interest from the borrowers plus some bonus ALPACA. But because there are
currently no borrowers, this rate of return would be zero. Instead, Alpaca decided to create
a bonus period, where borrowers can earn 7 times the usual amount of ALPACA for staking their
funds. In stage 1, you can deposit Binance USD, a stablecoin worth 1 dollar, Binance Coin, the
official currency for the Binance smart chain, or ALPACA liquidity pool tokens and
earn ALPACA as a reward for doing so. You can then withdraw your funds later to claim
your original investment back, plus any of the ALPACA you earned.
It’s basically free money.
And Alpaca grew to become a huge success. In its first 12 hours, it had amassed 40 million dollars
in deposits, with investors rushing to get in. See, 140 tokens would be distributed per block,
which is around 3 seconds. So investors wanted to get in as quickly as possible to snag
the highest rates of returns before more people got in and diluted the rewards.
justifies the 40 million dollars in investments? Even before any leveraged services were released,
investors saw huge potential for the project, which drove the price of
ALPACA up through speculation. This all created an insane rate of return,
leading to the 40 million dollars in investments. Over time, as the project gained publicity,
the total value locked reached 250 million and the rewards diluted to around 100% APY
as we see today, something more reasonable. But if you were early, you would've gotten upwards
of 10,000% APY that lasted for a few weeks. Wait but isn’t this just a Ponzi scheme?
How is money being created out of thin air? Again, this is the magic of DeFi, almost a
Technically, the value comes out of the Alpaca project itself, which provides
utility value by existing on the blockchain. The team behind Alpaca spent a lot of time creating a
good application, which gives their token value, which is then distributed as this “free money”.
One month later, meerkat.finance comes along, takes the source code, which is open source on the
blockchain, changes the mascot from an alpaca to a meerkat, changes the color scheme from green
to red, and launches.
They don’t even deny it, and they call themselves a fork of alpaca.finance
with some “more innovative features”. But it doesn’t even matter. Investors, who
felt left behind from Alpaca, rushed in to farm the Meerkat token. And just like that,
31 million in user funds disappear overnight. Apparently, these new “innovative features”
included a function to exit scam all of the funds. The vault, which is supposed to hold all of
the Binance USD and Binance Coin, is emptied. Additionally, the value of Meerkat plunges to
zero, and all the investors are left with nothing, as everything goes dark. How was Meerkat able
to run away with the funds? Looking at the blockchain, we can see that the devs called the
upgradeTo function, which changed the code of the Meerkat smart contract to a different proxy
contract, allowing them to drain the funds one minute later. However, this dangerous
function is protected by the ifAdmin flag, meaning only the admin can call the function.
And when Meerkat was launched, the address of the admin was changed from the developer
wallet to a smart contract called a timelock. Meerkat was supposed to be trusted because
they had timelocked their contract at launch, meaning they gave up their admin access. But if we look closer, we can see that this
supposed timelock never really happened. The function admin returns the ADMIN_SLOT
And this ADMIN_SLOT variable was changed to the timelock by calling the changeAdmin
function, which calls the setAdmin function. But if we look at the setAdmin function,
we can see the exploit. Instead of changing the ADMIN_SLOT variable, it actually changes a
different variable with a zero instead of an o. So the admin was never changed and was
still just the address of the dev wallet. This is the zero worth 31 million dollars. Shortly after, a mod creates a thread on
the Binance forums for users to report more information on the scam, although he
admits that it will be nearly impossible for Binance to catch the thieves, given the
decentralized nature of the blockchain. But unlike Ethereum, the Binance
Smart Chain is relatively centralized. It consists of 21 validators, many of which
are owned by Binance themselves, with the rest owned by trusted groups that have some
connection with Binance.
Theoretically, Binance could use its power to alter the blockchain and
transfer funds from Meerkat back to the users. But this would seriously degrade trust in the
chain, even if Binance had good intentions. Binance has turned a blind eye to previous
rug pulls, and this time is no different. There was even a controversial game called
“Tanks of Tiananmen'' developed to trigger Chinese authorities. But Binance has yet to be
pressured by China to censor the blockchain. So it looks like all the money is lost for good. But out of the darkness, a hero emerges in
a Telegram channel called Meerkatrefunds. He calls himself Jamboo, one of the developers for
Meerkat, and assures everyone that they will get their money back. 30 minutes later, the dev wallet
swaps 0.1 BNB for BUSD, just like he had stated, proving that Jamboo really does have
access to the Meerkat private key. Over the next few weeks, he provides instructions
for a new smart contract created to refund users. Everyone gets their money back and
it all ends happily ever after. So what was the point of Meerkat Finance?
The developers could have easily run away with the money, yet they chose not to.
very beginning, Meerkat’s code was malicious, but it’s a good thing their intent was never to
cause harm. It looks like Meerkat was created as a social experiment, and the developers
probably did not expect this level of success. Jamboo writes that Meerkat is a project
that tests user greed and subjectivity. Meerkat does not entice users
and investors to participate. And he's right. Meerkat merely copied an
existing project and provided zero extra utility. They never actually got around to showing
their supposedly new innovative features, as they never released phase 2. But
none of this mattered to investors, who will ape into any new project
with the fear of missing out. Meerkat perfectly highlights the stupidity of
this aspect of DeFi. Next, Meerkat warns users to be more careful with smart contracts.
is law, and one zero can change everything. Usually, projects get audited by a trusted third
party before launching, and Meerkat actually warned users that they hadn't been audited yet.
Any auditor would have spotted the faulty code. But amidst the rush to make a quick buck,
nobody realized it before it was too late. DeFi is essential, but it has a lot of
flaws. It is flourished by human greed..