Swaprum Decentralized Exchange Allegedly Conducts Rug-Pull, Swiping $3 Million in Customer Deposits

Introduction:

Swaprum, an Arbitrum-based decentralized exchange (DEX), has reportedly carried out a rug-pull, resulting in the loss of $3 million worth of customer deposits. The incident involved the theft of 1,628 Ether (ETH) from Swaprum's liquidity pools, which was then laundered through the crypto mixer Tornado Cash. Following the incident, Swaprum's social media accounts were deleted, but its website remains accessible. The rug-pull was facilitated by the use of a backdoor function that allowed the developer team to steal liquidity provider tokens and remove liquidity from the pool for profit. The incident raises questions about the platform's security, as well as the role of auditors in ensuring user protection.

Understanding Rug-Pulls and Exit Scams:

A rug-pull or exit scam occurs when a project, often appearing legitimate, attracts investments or user deposits before abruptly ceasing operations, taking the capital and disappearing. In some cases, the culprits attempt to cover their tracks. Rug-pulls undermine trust within the crypto community and highlight the need for thorough due diligence when participating in decentralized platforms. Users are encouraged to research projects, evaluate the credibility of the team, and assess the security measures in place.

The Swaprum Rug-Pull and Laundering Process:

According to blockchain security firm Peck Shield, bad actors swiped approximately $2.95 million worth of Ether from Swaprum's liquidity pools. The stolen funds were then bridged to Ethereum and "laundered" through Tornado Cash, a crypto mixer designed to obfuscate transaction histories. The perpetrators used this process to make the funds difficult to trace and regain. Following the incident, Swaprum's social media accounts were deleted, suggesting an attempt to erase any evidence or communication related to the rug-pull. However, the platform's website remains operational.

Exploitation of a Backdoor Function and Developer Complicity:

Fellow blockchain security firm Beosin shed light on the incident, stating that the deployer of Swaprum utilized the "add()" backdoor function to steal liquidity provider tokens staked by users and subsequently removed liquidity from the pool for personal gain. This exploitation was reportedly made possible by the Swaprum developer team upgrading the liquidity collateral reward contract to include backdoor functions. The presence of such vulnerabilities highlights the need for robust security audits and thorough testing of smart contracts before deployment.

CertiK's Audit and Public Backlash:

Criticism surfaced on Twitter, targeting smart contract auditors CertiK in relation to the Swaprum incident. Some users questioned CertiK's audit process and claimed that the firm had endorsed the platform, pointing out that the "audited by CertiK" logo remained on the Swaprum website. However, CertiK's role is to assess the provided source code exclusively and does not guarantee the integration of their recommendations. The audit conducted by CertiK had flagged a "major" issue with Swaprum's centralization, although it appears that the backdoor-related upgrades were implemented after the completion of the audit. CertiK's website has since labeled Swaprum as an "exit scam," reflecting the platform's failure to meet security expectations.

Implications for User Trust and Security Audits:

The rug-pull on Swaprum underscores the importance of user trust in the crypto space and highlights the risks associated with decentralized platforms. Incidents like this can damage the reputation of the broader crypto industry and deter potential users from engaging with new projects. It also raises questions about the effectiveness of security audits in identifying vulnerabilities and protecting users. Auditors play a crucial role