Arbitrum-based decentralized exchange (DEX) Swaprum has allegedly conducted a rug-pull on its users, with $3 million worth of customer deposits being swiped from the platform.
A rug-pull or exit scam occurs when a seemingly legitimate project ropes in a certain amount of investment or user deposits before promptly shutting everything down, pulling the capital and vanishing off into the distance โ if they donโt adequately cover their tracks, of course.
According to May 19 tweet from the alerts-focused account of blockchain security firm Peck Shield, the bad actors swiped 1,628 Ether (ETH) โ worth roughly $2.95 million at current prices โ from Swaprumโs liquidity pools, bridged it to Ethereum, and then โlaunderedโ almost all of those funds through crypto mixer Tornado Cash.
#PeckShieldAler #rugpull @Swaprum on #Arbitrum rugged ~$3M, $SAPR has dropped -100%. @Swaprum already deleted its social accounts/groups.
The scammers have bridged ~1,628 $ETH to #Ethereum and laundered 1,620 $ETH to Tornado Cashhttps://t.co/tUNgbwGQCd pic.twitter.com/UH8V9RyFHyโ PeckShieldAlert (@PeckShieldAlert) May 19, 2023
Following the incident, Swaprumโs Twitter, Telegram and Github accounts have all been deleted, however Swaprumโs website is still operational at the time of writing.
Adding extra context to the incident, fellow blockchain security firm Beosin claimed that the โdeployer of Swaprum used the add() backdoor function to steal LP [liquidity provider] tokens staked by users, then removed liquidity from the pool for profit.โ
This was apparently made possible due to the Swaprum developer team allegedly โupgrading the normal liquidity collateral reward contract to a contract containing backdoor functions.โ
3/ The backdoor function add() will transfer LP tokens from the contract to the _devadd address. By querying the _devadd address, it will return the โSwaprum:Deployerโ address. pic.twitter.com/Z1rZmFSf5R
โ Beosin Alert (@BeosinAlert) May 19, 2023
A keyword search for โSwaprumโ on Twitter yields several tweets from people calling out smart contract auditors CertiK over the whole ordeal, as the firm had conducted an audit of the platform as recently as May 5.
Related: Can you recover stolen Bitcoin from crypto scams?
Their complaints essentially assert that CertiK signed off on the platform by auditing the platform, with the โaudited by CertiKโ logo still currently up on the Swaprum website.
Well done @CertiK another rug thatโs comming from your audits.#swaprum @Swaprum #certik #scam #rug pic.twitter.com/cPlyx3GMU6
โ Crypto Emprende YT (@cryptoemprende_) May 18, 2023
However, it is worth noting that as per CertiKโs disclaimers, it โconducts security assessments on the provided source code exclusively,โ and canโt guarantee that its recommendations are integrated. In the audit, CertiK flagged a โmajorโ issue with how centralized Swaprum was.
While it also appears that the backdoor-related upgrades to the projectโs smart contracts were conducted after the audit was completed.
As it stands, CertiKโs website has now flagged Swaprum as an โexit scam.โ
Magazine: $3.4B of Bitcoin in a popcorn tin โ The Silk Road hackerโs story
