/cdn.vox-cdn.com/uploads/chorus_asset/file/24016885/STK093_Google_04.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24808816/Starfield__The_Settled_Systems___Supra_Et_Ultra_____Starfield__The_Settled_Systems___Supra_Et_Ultra_2023_7_25_94252.263_1440p_streamshot.png)
Arbitrum-based decentralized exchange (DEX) Swapram has reportedly conducted a rig-pull on its users, with $3 million worth of customer deposits swiped from the platform.
A rag-pull or exit scam occurs when a seemingly legitimate project collects a certain amount of investment or user deposits before immediately shutting everything down, pulling the capital and disappearing into the distance – if they were successful enough. Don’t cover your tracks, period.
According to a May 19 tweet from the alert-focused account of blockchain security firm Peck Shield, bad actors swiped 1,628 ether (ETH) — roughly $2.95 million at current prices — from Swaprum’s liquidity pool, channeled it to Ethereum, and Then “washed” “almost all the funds through the crypto mixer Tornado Cash.
#PeckShieldAler #ragpul @Swaprum But #Mediation Rugged ~$3M, $SAPR -100% dropped. @Swaprum Already deleted your social accounts/groups.
Scammers have bridged ~ 1,628 $ETH To #ethereum and washed 1,620 $ETH for Tornado Cash pic.twitter.com/UH8V9RyFHy— PeckShield Alert (@PeckShieldAlert) May 19, 2023
Following the incident, Swapram’s Twitter, Telegram and Github accounts have been deleted, however Swapram’s website is still operational at the time of writing this news.
Adding additional context to the incident, fellow blockchain security firm Beosin claimed that “Swapram’s employer used the add() backdoor function to steal LP (Liquidity Provider) tokens from users, then withdraw liquidity from the pool for profit.” swept aside.”
This was apparently made possible by the Swapram developer team allegedly “upgrading a normal Liquidity Collateralized Rewards contract to a contract with backdoor functionality”.
3/ The backdoor function add() will transfer the LP token from the contract to the _devadd address. By querying the _devadd address, it will return the ‘Swaprum:Deployer’ address. pic.twitter.com/Z1rZmFSf5R
— Beosin Alert (@BeosinAlert) May 19, 2023
A keyword search for “swapram” on Twitter yielded several tweets from people calling out smart contract auditor CertiK, as the firm audited the platform as recently as May 5.
Connected: Can You Recover Bitcoin Stolen From Crypto Scams?
Their complaints essentially insist that CertiK audit the platform and sign the platform with a “audited by CertiK” logo. currently on the Swapram website.
Very good @certiK Another rug that’s coming from your audit.#self love @Swaprum #certic #scam #rug pic.twitter.com/cPlyx3GMU6
– Crypto Emprende YT (@cryptoemprende_) May 18, 2023
However, it’s worth noting that according to CertiK’s disclaimer, it “conducts security evaluations exclusively on provided source code,” and cannot guarantee that its recommendations are unified. In the audit, CertiK flagged a “major” issue with how centralized Swapram was.
While it also appears that backdoor related upgrades to the project’s smart contracts were made after the audit was completed.
As it stands, CertiK’s website has now flagged Swapram as an “exit scam”.
magazine: $3.4B Bitcoin in a Popcorn Tin – The Story of the Silk Road Hacker
