Decoding Swaprum Finance $3 Million Rug Pull | QuillAudits

Summary:

On May 18, 2023, the deployer of Swaprum Finance, a decentralized finance platform on the Arbitrum chain, executed an exit scam (Rug Pull) and took around $3 million in user funds. They immediately deleted both their website and all of their social media profiles following the scam.

About Project:

Swaprum is a DeFi exchange built on Arbitrum One Chain that offers high farming rewards, low swapping fees, and a sustainable SAPR token.

Vulnerability Analysis & Impact:

On-chain Details:

Deployer Address: 0xaaf8b44376f4ef3eD477eeEB3553b7623FEF5E1c

SAPR Token: 0x2ae25460c44d578e6f41ab900a7a5425b6492c16

Malicious Upgrade txn: 0x11a84164726c57dd7c3c0f610ed65cfa5f062009b3d51bcacc31e52c50908a9c

SAPR Minting txn: 0x821b2e98bb5ab19b6b35e5abaceca3d263a17b07039bc169823d7cf27460168e

Liquidity Removing txn: 0xcb64a40d652ff8bfac2e08aa6425ace9c19f0eeb4a6e32f0c425f9f9ea747edf

Tornado Cash transfer txn: 0xfffb4bbabeafc906800ec790c8c9cd9c6b6e11532f6a9e210dc091f29909bafd

Exit Scam Steps:

• On May 18th, the reward contract was upgraded to a malicious version by the deployer. They included theadd() function (backdoor), which transferred LP tokens from the contract to the deployer.

• After the upgrade, the deployer used the modified add() function to steal LP tokens staked by users. The stolen LP tokens were then used to remove liquidity from various pools such as USDT/WETH, USDT/USDC, etc.

• Additionally, the deployer called getToken() and minted 200,000,000 SAPR tokens into their wallet, draining the liquidity from the SAPR/WETH Pool.

• The deployer proceeded to swap all tokens for 1620 ETH ($3 million) and bridged all the funds to Ethereum before transferring them to Tornado Cash.

After the Incident:

Immediately after the hack, they deleted their website and social media accounts, including Twitter, GitHub, Gitbook, and Medium.

The flow of funds:

The deployer transferred all funds to the Ethereum chain via Multichain, AcrossProtocol, and CelerNetwork, and finally deposited approximately 1620 ETH in Tornado Cash.

Bridged to Ethereum

Transferred to Tornado Cash

Price Impact:

Following the rug pull, the token’s value plummeted. See here.

Conclusion:

This occurrence highlights the risks that are associated with cryptocurrency investments, and it serves as a reminder that investors must exercise caution when dealing with digital assets.

Any project that promises sky-high returns should be carefully considered because DeFi scammers need liquidity to fund their scheme.

Web3 security- Need of the hour

Why QuillAudits For Web3 Security? QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions, saving millions in funds.

Want more Such Security Blogs & Reports?

Connect with QuillAudits on :

Linkedin | Twitter | Website | Newsletter | Discord | Telegram

Partner with QuillAudits :

• Affiliate program ( Refer and secure web3 )
• QuillAudits Partnership Programme ( Venture funds, launchpads, development companies, marketing firms, web2 cybersecurity firms, web3 products )
• Join Ambassador program