Arbitrum-based decentralized exchange (DEX) Swaprum has allegedly conducted a rug-pull on its users, with $3 million worth of customer deposits being swiped from the platform.<\/p>\n
A rug-pull or exit scam<\/a> occurs when a seemingly legitimate project ropes in a certain amount of investment or user deposits before promptly shutting everything down, pulling the capital and vanishing off into the distance \u2014 if they don’t adequately cover their tracks<\/a>Ofcourse. <\/p>\n According to a May 19 tweet from the alerts-focused account of blockchain security firm Peck Shield, the bad actors swiped 1,628 Ether (eth<\/a>) \u2014 worth roughly $2.95 million at current prices \u2014 from Swaprum’s liquidity pools, bridged it to Ethereum, and then \u201claundered\u201d almost all of those funds through crypto mixer Tornado Cash. <\/p>\n #PeckShieldAler<\/a> #rugpull<\/a> @Swaprum<\/a> on #arbitrum<\/a> rugged ~$3M, $SAPR<\/a> has dropped -100%. @Swaprum<\/a> already deleted its social accounts\/groups. \u2014 PeckShieldAlert (@PeckShieldAlert) May 19, 2023<\/a><\/p><\/blockquote>\n Following the incident, Swaprum’s Twitter, Telegram and Github accounts have all been deleted, however Swaprum’s website is still operational at the time of writing.<\/p>\n Adding extra context to the incident, fellow blockchain security firm Beosin claimed that the \u201cdeployer of Swaprum used the add() backdoor function to steal LP [liquidity provider] tokens staked by users, then removed liquidity from the pool for profit.\u201d<\/p>\n This was apparently made possible due to the Swaprum developer team allegedly “upgrading the normal liquidity collateral reward contract to a contract containing backdoor functions.” <\/p>\n 3\/ The backdoor function add() will transfer LP tokens from the contract to the _devadd address. By querying the _devadd address, it will return the ‘Swaprum:Deployer’ address. pic.twitter.com\/Z1rZmFSf5R<\/a><\/p>\n \u2014 Beosin Alert (@BeosinAlert) May 19, 2023<\/a><\/p><\/blockquote>\n A keyword search for “Swaprum” on Twitter yields several tweets from people calling out. smart contract auditors<\/a> CertiK over the whole ordeal, as the firm had conducted an audit of the platform as recently as May 5. <\/p>\n Related: <\/em><\/strong>Can you recover stolen Bitcoin from crypto scams?<\/em><\/strong><\/a><\/p>\n Their complaints essentially assert that CertiK signed off on the platform by auditing the platform, with the “audited by CertiK” logo still currently<\/a> up on the Swaprum website. <\/p>\n well done @certiK<\/a> Another rug that’s coming from your audits.#swaprum<\/a> @Swaprum<\/a> #certik<\/a> #scam<\/a> #rogue<\/a> pic.twitter.com\/cPlyx3GMU6<\/a><\/p>\n \u2014 Crypto Emprende YT (@cryptoemprende_) May 18, 2023<\/a><\/p><\/blockquote>\n However, it is worth noting that as per CertiK’s disclaimers, it “conducts security assessments on the provided source code exclusively,” and cannot guarantee that its recommendations are integrated. In the audit, CertiK flagged a “major” issue with how centralized Swaprum was. <\/p>\n While it also appears that the backdoor-related upgrades to the project’s smart contracts were conducted after the audit was completed.<\/p>\n As it stands, CertiK’s website has now flagged Swaprum as an “exit scam.”<\/p>\n Magazine: <\/em><\/strong>$3.4B of Bitcoin in a popcorn tin \u2014 The Silk Road hacker’s story<\/em><\/strong><\/a><\/p>\n <\/div>\n\n
The scammers have bridged ~1,628 $ETH<\/a> to #Ethereum<\/a> and laundered 1,620 $ETH<\/a> to Tornado Cashhttps:\/\/t.co\/tUNgbwGQCd<\/a> pic.twitter.com\/UH8V9RyFHy<\/a><\/p>\n\n
\n
![](\"https:\/\/s3.cointelegraph.com\/uploads\/2023-05\/e524567d-1b65-4e35-8924-2ffbf5a9c732.png\"\/)