Chibi Finance, an Arbitrum-based platform, recently defrauded its users for approximately $1 million on June 27. CertiK, a blockchain security firm, confirmed that the scam occurred through a malicious contract. As a consequence, the project’s native token, CHIBI, has experienced a drastic decline in value, plummeting nearly 99% at the time of this report. Unfortunately, this incident marks the twelfth instance within the last six months where an Arbitrum project has deceived its users.
Following the rug pull, Chibi Finance took down its Twitter account and disappeared from other online platforms. The scammer managed to steal a total of 256,012.95 USDC, 94.67 WETH, 4.25520843 WBTC, 115,049 USDT, and 89,563.95 ARB. Subsequently, the stolen funds were exchanged for roughly 555 ETH and then transferred to Ethereum through a bridge. At present, all the stolen funds have been moved to the Tornado Cash mixer.
CertiK’s investigation revealed that the exploit began when the Chibi Finance deployer created a malicious contract using “EOA 0x80c1ca8f002744a3b22ac5ba6ffc4dc0deda58e3.” Initially, the deployer funded this contract through a 10 ETH withdrawal on Tornado Cash. The malicious contract was given the “_gov” role, which essentially granted it admin privileges similar to those on a computer network.
With these elevated privileges, the contract executed the “panic” function on the protocol, enabling it to withdraw all funds from Chibi contracts in an emergency fashion. Consequently, the stolen cryptocurrency was transferred back to the EOA address.
In its marketing materials, Chibi Finance claimed to be a “yield-optimizer” protocol that allowed users to deposit funds and earn rewards in the form of the CHIBI token. The project purported to have undergone an audit by blockchain security firm SolidProof. However, since the website has been taken down, CryptoSlate was unable to verify the authenticity of these claims. SolidProof has not responded to requests for comment at the time of this report. Additionally, the project engaged several cryptocurrency influencers to promote and generate excitement within the community. However, most of these influencers have since deleted their tweets and posts associated with Chibi Finance without providing any explanation, in light of the rug pull incident.