Arbitrum-based decentralized exchange (DEX) Swaprum has allegedly conducted a rug-pull on its users, with $3 million worth of customer deposits being swiped from the platform.<\/p>\n
A rug-pull or exit scam<\/a> occurs when a seemingly legitimate project ropes in a certain amount of investment or user deposits before promptly shutting everything down, pulling the capital and vanishing off into the distance \u2014 if they don\u2019t adequately cover their tracks<\/a>, of course. <\/p>\n According to May 19 tweet from the alerts-focused account of blockchain security firm Peck Shield, the bad actors swiped 1,628 Ether (ETH<\/a>) \u2014 worth roughly $2.95 million at current prices \u2014 from Swaprum\u2019s liquidity pools, bridged it to Ethereum, and then \u201claundered\u201d almost all of those funds through crypto mixer Tornado Cash. <\/p>\n #PeckShieldAler<\/a> #rugpull<\/a> @Swaprum<\/a> on #Arbitrum<\/a> rugged ~$3M, $SAPR<\/a> has dropped -100%. @Swaprum<\/a> already deleted its social accounts\/groups. \u2014 PeckShieldAlert (@PeckShieldAlert) May 19, 2023<\/a><\/p><\/blockquote>\n Following the incident, Swaprum\u2019s Twitter, Telegram and Github accounts have all been deleted, however Swaprum\u2019s website is still operational at the time of writing.<\/p>\n Adding extra context to the incident, fellow blockchain security firm Beosin claimed that the \u201cdeployer of Swaprum used the add() backdoor function to steal LP [liquidity provider] tokens staked by users, then removed liquidity from the pool for profit.\u201d<\/p>\n This was apparently made possible due to the Swaprum developer team allegedly \u201cupgrading the normal liquidity collateral reward contract to a contract containing backdoor functions.\u201d <\/p>\n 3\/ The backdoor function add() will transfer LP tokens from the contract to the _devadd address. By querying the _devadd address, it will return the \u2018Swaprum:Deployer\u2019 address. pic.twitter.com\/Z1rZmFSf5R<\/a><\/p>\n \u2014 Beosin Alert (@BeosinAlert) May 19, 2023<\/a><\/p><\/blockquote>\n A keyword search for \u201cSwaprum\u201d on Twitter yields several tweets from people calling out smart contract auditors<\/a> CertiK over the whole ordeal, as the firm had conducted an audit of the platform as recently as May 5. <\/p>\n Related: <\/em><\/strong>Can you recover stolen Bitcoin from crypto scams?<\/em><\/strong><\/a><\/p>\n Their complaints essentially assert that CertiK signed off on the platform by auditing the platform, with the \u201caudited by CertiK\u201d logo still currently<\/a> up on the Swaprum website. <\/p>\n Well done @CertiK<\/a> another rug that\u2019s comming from your audits.#swaprum<\/a> @Swaprum<\/a> #certik<\/a> #scam<\/a> #rug<\/a> pic.twitter.com\/cPlyx3GMU6<\/a><\/p>\n \u2014 Crypto Emprende YT (@cryptoemprende_) May 18, 2023<\/a><\/p><\/blockquote>\n However, it is worth noting that as per CertiK\u2019s disclaimers, it \u201cconducts security assessments on the provided source code exclusively,\u201d and can\u2019t guarantee that its recommendations are integrated. In the audit, CertiK flagged a \u201cmajor\u201d issue with how centralized Swaprum was. <\/p>\n While it also appears that the backdoor-related upgrades to the project\u2019s smart contracts were conducted after the audit was completed.<\/p>\n As it stands, CertiK\u2019s website has now flagged Swaprum as an \u201cexit scam.\u201d<\/p>\n Magazine: <\/em><\/strong>$3.4B of Bitcoin in a popcorn tin \u2014 The Silk Road hacker\u2019s story<\/em><\/strong><\/a><\/p>\n<\/div>\n\n
The scammers have bridged ~1,628 $ETH<\/a> to #Ethereum<\/a> and laundered 1,620 $ETH<\/a> to Tornado Cashhttps:\/\/t.co\/tUNgbwGQCd<\/a> pic.twitter.com\/UH8V9RyFHy<\/a><\/p>\n![](\"https:\/\/s3.cointelegraph.com\/uploads\/2023-05\/895a8bd0-149a-4721-ab99-2d7e6b36b75d.png\")
\n
\n
![](\"https:\/\/s3.cointelegraph.com\/uploads\/2023-05\/e524567d-1b65-4e35-8924-2ffbf5a9c732.png\")