December 9, 2023

Developers of the Arbitrum-based decentralized exchange Swaprum have pumped $3 million worth of ETH from the protocol in what looks like an obvious canvassing or exit scam.

Swaprum team pulls off $3 million heist

Cryptocurrencies are built on the principles of trust and transparency. Yet the specter of hacking and rug pulling often casts a long, dark shadow over the industry. As users of Swaprum have unfortunately discovered, recent events are a grim reminder of the ongoing threat of hackers and scams. Swaprum is a decentralized exchange (DEX) on the Arbitrum network. What has emerged is that the developers of Swaprum have pulled users, draining $3 million worth of ETH from the protocol.

The decentralized exchange offers users low exchange fees, extremely high farming rewards, and the potential to earn up to 100% Annual Yield (APY).

Detail of the rug handle

Blockchain security firm PeckShield discovered the rug pull and flagged it on Friday. PeckShield revealed that approximately 1,628 ETH, worth approximately $3 million, was drained from Swaprum’s liquidity pool. According to on-chain data, the exit was orchestrated late Thursday. First, the Swaprum team de-liquidated the decentralized exchange SAPR tokens, selling assets in exchange for more ETH. The SAPR token is the native token of the Swaprum decentralized exchange.

The team then moved funds from Arbitrum to Ethereum and then to cryptocurrency mixer Tornado Cash. A more detailed analysis by Beosin revealed that the developers of the Swaprum smart contract had added backdoor functionality to the contract. This is what led to the theft of liquidity pool tokens staked by users. It was revealed that the developers used the add() function and exhausted the protocol. Beosin explained that Swaprum’s team has upgraded the normal liquidity staking rewards contract to another one that includes backdoor functionality. it says,

“The backdoor function add() will transfer LP tokens from the contract to the _devadd address. By querying the _devadd address, it will return the ‘Swaprum: Deployer’ address. The Swaprum: Deployer used the stolen LP tokens in the previous step to eliminate liquidity.”

In addition, the Swaprum team wiped their online footprint completely, deleting all their social media profiles on platforms such as Twitter, GitHub, and Telegram. However, the project’s official website is still up and running. The now-defunct decentralized exchange also highlighted CertiK’s aggressive security checks. However, it remains to be seen whether the certification is real.

SAPR tokens are intrinsically worthless

As expected, the decentralized exchange’s native SAPR token lost all value after the rug was pulled. Currently, the token is trading at $0.000022 with a trading volume of just $83. This is a 99% drop from $0.147 before the price was pulled lower. Swaprum rug pulls are easily one of the largest rug pulls on the Arbitrum network. It surpasses losses suffered during the hack of DeFi protocol Hope Finance, which was the victim of a $2 million exploit in February.

carpet pull

There has been a marked increase in rug pulling or exit scams in the cryptocurrency space. Just in May, two other rugs came to the fore with Swaprum. CertiK freezes $160,000 on May 5th Merlin DEX Carpet pulls. Merlin fell victim to insider pull, resulting in a loss of $1.8 million. packan educational project backed by CultDAO, has also been successful, with the team behind the project stealing 2,000 ETH from funds raised for the platform.

Disclaimer: This article is for informational purposes only. It does not provide or be intended to be used as legal, tax, investment, financial or other advice.