Kokomo Finance, a non-custodial lending protocol, allegedly stole $4 million from its users over the weekend.

In an alert on Sunday, blockchain security firm CertiK notified users of Kokomo Finance’s exit scam which took place only two days after the project was first launched on Layer 2 blockchainsOptimism.

An exit scam refers to a scenario where the project’s creators abscond with their users’ funds, often after they have accumulated a significant sum. In this case, Kokomo Finance appears to have made off with $4 million worth of crypto deployed onto the platform by users in the last few days.

According to CertiK, the deployer of the protocol’s native token KOKO attacked the smart contract of cBTC, a wrapped Bitcoin token to pause the borrow function and alter the reward speed. After it was turned into a malicious contract, the deployer transferred 7000 “sonne WBTC” tokens to an Ethereum wallet address and converted them to 141 WBTC worth $4 million.

At the time of writing, all signs of Kokomo Finance’s online presence appear to have been completely wiped. The project’s social media pages, including Twitter, and its official website have been deleted.

The project was audited by smart contract auditor 0xGuard last week where one “high-severity issue” was raised by the team – the ability to mint 45% of the maximum supply of tokens to an arbitrary address.

Despite being operational for such a short period of time, data from DeFiLlama shows that the project quickly rose up the ranks in terms of total value locked, which was a little over $2 million at press time.