Reading 3 min Published Updated
Arbitrum-based decentralized exchange (DEX) Swaprum allegedly scammed its users, with $3 million worth of client deposits stolen from the platform.
A pull-the-carpet or out-of-service scam occurs when a seemingly legitimate project ties up a certain amount of investment or user deposits before quickly shutting everything down, withdrawing the capital, and disappearing into the distance – if they don’t properly cover their tracks, or the course.
According to a May 19 report from an alert-focused account of blockchain security company Peck Shield, the attackers stole 1,628 Ether (ETH) worth approximately $2.95 million at current prices from Swaprum liquidity pools, transferred them to Ethereum, and then “ laundered.” almost all of these funds go through the Tornado Cash cryptocurrency mixer.
#PeckShieldAler #rugpull @Swaprum on #Arbitrum rugged ~$3M, $SAPR has dropped -100%. @Swaprum already deleted its social accounts/groups.
The scammers have bridged ~1,628 $ETH to #Ethereum and laundered 1,620 $ETH to Tornado Cashhttps://t.co/tUNgbwGQCd pic.twitter.com/UH8V9RyFHy
— PeckShieldAlert (@PeckShieldAlert) May 19, 2023
Following the incident, Swaprum’s Twitter, Telegram, and Github accounts were deleted, however the Swaprum website was still up and running at the time of writing.
Adding further context to the incident, blockchain security colleague Beosin stated that “a Swaprum deployer used the add() backdoor function to steal LP tokens. [поставщика ликвидности]staked by users and then removed the liquidity from the pool for profit.”
Apparently, this was made possible by the fact that the Swaprum development team supposedly “upgraded a regular liquidity contract to a contract containing backdoor functions.”
3/ The backdoor function add() will transfer LP tokens from the contract to the _devadd address. By querying the _devadd address, it will return the ‘Swaprum:Deployer’ address. pic.twitter.com/Z1rZmFSf5R
— BeosinAlert (@BeosinAlert) May 19, 2023
Searching for the keyword “Swaprum” on Twitter yields several tweets from people calling for CertiK smart contract auditors for the entire test, as the firm audited the platform as recently as May 5th.
Related: Can you recover stolen bitcoin from a cryptocurrency scam?
Their complaints essentially allege that CertiK signed up with the platform by auditing the platform, and the “verified by CertiK” logo is still on the Swaprum website.
— cryptocurrency Emprende YT (@cryptoemprende_) May 18, 2023
However, it is worth noting that, according to CertiK’s disclaimer, it “conducts security assessments solely on the provided source code” and cannot guarantee that its recommendations will be integrated. During the audit, CertiK noted a “serious” problem with how centralized Swaprum was.
Although it also appears that updates to the project’s smart contracts related to the backdoor were made after the completion of the audit.
In its current form, the CertiK website labeled Swaprum as an “exit scam”.