How the Meerkat, Furucombo, IYF & PAID Token ‘Hacks’ Work

This year has seen an epidemic of cryptocurrency scams, with the teams behind them claiming to be hacked.

scammers scam

This year has seen an epidemic of cryptocurrency scams, with the teams behind them claiming to be hacked. It is hard to prove with complete certainty that these were exit scams from the get-go but they certainly follow a common pattern that would lead us to question whether incompetence alone is a sufficient explanation for their failure to prevent proxy smart contract exploits that have been discussed since 2018, 2019, and even in a paper published last October.

In January, before the $PAID token ‘hack,’ its vulnerability was publicly known: “The owner can mint tokens and did mint tokens to fresh wallets who never bought the presale. Contract is behind a proxy.” ‘Behind a proxy’ means that the functions (that carry out transactions) of the smart contracts are accessed, or ‘called’, through a proxy. Also the upgradable proxy can be ‘updated’, for example by adding new functions in the proxy.


Although the functions of the smart contract themselves can not be changed, using certain exploits (discussed below), function calls to the original smart contract can be diverted to malicious functions within the proxy. Thus, you should never trust a proxy blindly even if it points to a trusted implementation because it may still be able to direct you to malicious implementations or be updated to do so in the future.

It is hard to believe that platforms such as Meerkat, Furucombo, IYF & PAID, DODODex were hacked because even if the developer was not behind the rug-pull, he/she certainly made sure that the code was vulnerable to it by implementing his smart contract behind an upgradeable proxy. It is safe to assume that if the developer had the foresight to implement this complex Ethereum proxy mechanism for future bug-fixing or updating his platform, then he/she would also have the wherewithal to take measures to protect his/her private key that allows access to upgrading the proxy. At the very least, therefore, these appear to have been ‘exploit-tests.’

All of the attacks on platforms involved updating the deployer’s smart contract by leveraging the upgradeability mechanism offered by proxy pattern smart contracts (explained here). Without multi-signature contract control, the attacker can use proxy upgradeability to ‘update’ the smart contract to burn and mint tokens or add any new functions to the code. The proxy contract was intended for developers to be able to delegate function calls to other contracts and upgrade delegates without breaking dependencies.

However, with exploits like function clashing, the proxy contract can be easily manipulated by the deployer or someone with access to the deployer’s private key to divert functions being called through the proxy.


A more detailed explanation on the inner workings of upgradeable proxy smart contracts can be found here.

Binance-based token Meerkat’s exploit put the attacker in a difficult position: Binance controls on and off-ramps to Binance Smart Chain (it’s easy with only 21 validator nodes), meaning any stolen funds were locked on the chain and impossible to convert to profits. Thus, the Meerkat team has now decided to return the $31 million in stolen user funds. The hacked Ethereum-based tokens’ users are still trying to find a resolution.

How to prevent yourself from getting rug-pulled and/or scammed

  1. Do not buy into smart contracts that are behind proxies.
  2. If you code, learn to reverse contracts by reading these guides (or hire a cyber-security company to audit the DeFi Project that you are investing in)

3. Make sure the token implements multi-signature contract control with keys held by people you know and trust
4. Follow War-on-Rugs on Twitter
5. Understand why and how upgradable proxy is implemented in a secure way
6. Use the HoneyBadger heuristic tool to analyze smart contracts and detect honey pot contracts on Ethereum

On the Flipside

The following recovery efforts are being made after the hacks:

  • Dev says $31 million Meerkat Finance exploit was a ‘test’; will return funds.
  • $PAID will relaunch the token holdings at a moment just before the exploit began. Those tokens will be replaced.
  • The decentralized exchange (DEX) platform DODO said in a statement Tuesday it expects just under half of the stolen funds ($1.88 million) to be returned.
  • Furucombo will issue 5 million iouCOMBO tokens to compensate victims of the hack.
  • IYF Developer lost access to Telegram and Twitter and is still trying to get back.

This article is for information purposes only and should not be considered trading or investment advice. Nothing herein shall be construed as financial, legal, or tax advice. Trading forex, cryptocurrencies, and CFDs pose a considerable risk of loss.

Milko Trajcevski

Milko Trajcevski is a DailyCoin news reporter, mainly focused on Ethereum (ETH), Cardano (ADA), and their founders (Vitalik Buterin and Charles Hoskinson). Milko is an avid follower of crypto and blockchain technology and has written thousands of articles on the subjects. He finds joy in transforming complex issues into written content that anyone can understand. Milko has used and analyzed numerous exchanges, such as Coinbase, FTX, and Binance. He also closely follows all of the latest news around the largest decentralized exchanges (DEXs). Location: Skopje, Macedonia