This post will walk through three Kujira wallets' on-chain activities. One unknown wallet appears to have exploited the FIN Kuji/axlUSDC Contract to withdraw a substantial amount of $KUJI. There are also two Kujira Foundation-owned/controlled wallets. One is known as the “God wallet,” which appears to change contract parameters and store and migrate contract code. The other is the Kujira Foundation's “Ops” wallet, from which they primarily run their delegations and finances. This wallet appears to have withdrawn 320k axlUSDC from the contract.
Let's start with the Kuji/axlUSDC Fin contract. I queried the contract with some help from Vini from SCV to get the balance over time. This uses 100,000 block gaps to get a wide view of the balances.
The Contract balance starts at 425k axlUSDC and 330k KUJI at block 17,700,000.
The two main areas of focus became clear.
Between blocks 18,400,000 and 18,500,000, the contract's KUJI balance drops from 399,009 KUJI to just 39,933.
Between blocks 18,800,000 and 18,900,000, the axlUSDC balance of the contract drops from 330,000 axlUSDC to just 10,700.
Focusing first on the KUJI balance changes, I drilled into the blocks until I found an important series of blocks.
Within 260 blocks, the KUJI balance drops from ~372k to just 5k KUJI, while the axlUSDC balance remains essentially unchanged. Odd. We can see the balance changes from around block 18,435,310. So, I queried every block for balance changes and reviewed the blocks to see what was occurring.
At block height 18,435,316, wallet kujira1yjt7hqxjursac2cwlj79fpgj2jsmpu7edmgtd0 makes a withdrawal tx for order idx “4745062,” which is for ~7.6k KUJI. It's not alarming in itself.
Neither is the other TX withdrawing the exact same amount just 12 blocks later at block 18,435,328, with another order ID “4745063”, though it did raise my eyebrows.
Until… at block 18,435,334, we see ANOTHER withdraw tx for the exact same amount of KUJI; this time, however, the wallet REUSES the same order ID to withdraw from.
As we can see from their own wallet, each Order should have a UNIQUE ID.
They use this method continuously to remove KUJI from the Contract.
I looked into their wallet history on stake.tax to see the movements of funds, and something stood out immediately. The balance of KUJI goes negative. This (generally) indicates that funds LEAVE the account, which had previously never been there. They could arrive through another token and get swapped in, though i don’t see any transactions of that nature. It would still be odd for it to go negative. See here where an exploiter was able to drain funds through an IBC Hooks exploit on Terra. The wallet balance changes are very similar.
This left the contract in a state where the order book is essentially empty of KUJI…
Now, onto axlUSDC. Using the same method as KUJI, I tracked down the important block range where the axlUSDC balance changed.
At block 18,878,067, the balance changes from 330,789 axlUSDC to just 10,789, a substantial reduction. So, I looked into the block.
A retract order for the FIN KUJI/axlUSDC contract for Order ID 4746068.
This is the Kujira Foundation Ops wallet, as documented in my post here.
Notice the change in USDC balance to both the KUJI exploiter and also the Terra IBC Hooks exploiter?
Looking closer, a transaction occurs before the funds are removed. So I went into a block explorer to look further.
The team withdraws funds from an order and uses it to pay down a loan.
Looking closer, I couldn’t find an order that matches the 320k USDC for the team wallet, I wasn’t able to find one. So I went to the contract itself.
Immediately before the team withdraws the funds, the FIN KUJI/axlUSDC contract is migrated. 5 blocks before… That is odd.
So I looked into the wallet kujira1tsekaqv9vmem0zwskmf90gpf0twl6k57e8vdnq, which is the “owner” or admin wallet for the Kujira team contract uploads. It is referenced in a number of proposals.
We can see that the “God wallet” stores a contract, migrates the FIN KUJI/axlUSDC contract to it, creates a second contract, and migrates it to Code 313.
Noting the block height of the final migration, 18,878,062. Just 5 blocks before the team withdraws the 320k axlUSDC from the contract.
This seemed very odd, so with some help, I had the contract bytecode decompiled to investigate further. We can see the team wallet is coded within the contract. It could be associated somehow, such as the admin at the wasmd level.
However, there is another address in the contract, which is the Core Module account: kujira17xpfvakm2amg962yls6f84z3kell8c5lp3pcxh. So, I would suspect this account would be that rather than the team account.
What appears to have happened, and it's difficult to prove without the team coming forward and admitting/explaining, is that the FIN KUJI/axlUSDC contract was drained of a substantial amount of Kuji. After a period of time, the team migrated the contract to include an order for the axlUSDC for their account, which they used to pay down one of their loans. Then, they removed the pair from the front end.
I am unsure whose funds were withdrawn from the contract by the exploiter and the team order ID. Is it a build-up of maker/taker fees? Are they FIN users' funds? Something else? Regardless, it doesn’t look good without an explanation.
Additionally, the “God wallet” has been changing various Liquidation and LTV parameters for the team wallet's loans.
The KUJI/USK Bow contract is an example.
The “partial_liquidation” parameter was changed from 0.2 to 0.05. This was likely to accommodate the teams' loans, liquidating smaller portions to allow the Orca bids to handle the volume they would produce due to the size of the positions.
And again, raising LTV on loans, such as the KUJI/USK, to allow more room for their loans before they liquidate.
I know the team is planning on changing things should they raise enough in the Pilot sale, though I think the community deserves transparency on the entire situation before any funds are raised to resolve the bad debt caused by the team’s actions.
