Swaprum's Alleged Exit Scam Shakes Crypto World

Swaprum’s Alleged Exit Scam Shakes Crypto World

Swaprum exploited the add backdoor function to steal liquidity provider (LP) tokens staked by users.

Last updated: May 20, 2023 12:27 PM

Published May 20, 2023 12:27 PM

Last updated: May 20, 2023 12:27 PM

Published May 20, 2023 12:27 PM

Decentralized exchange (DEX) Swaprum, built on the Arbitrum network, is under scrutiny for allegedly carrying out a rug-pull scam, resulting in the disappearance of $3 million in customer deposits.

In this type of fraudulent act, known as a rug-pull or exit scam, a project initially appears legitimate and attracts investments or user deposits. However, it abruptly shuts down, vanishing with the funds unless they take sufficient measures to cover their tracks.

According to a tweet from blockchain security firm Peck Shield’s alerts account on May 19, the perpetrators managed to swipe 1,628 Ethereum (ETH) valued at approximately $2.95 million from Swaprum’s liquidity pools. They then transferred the funds from Arbitrum to Ethereum and “laundered” most of them through the crypto mixer Tornado Cash.

#PeckShieldAler #rugpull @Swaprum on #Arbitrum rugged ~$3M, $SAPR has dropped -100%.
@Swaprum already deleted its social accounts/groups.
The scammers have bridged ~1,628 $ETH to #Ethereum and laundered 1,620 $ETH to Tornado Cashhttps://t.co/tUNgbwGQCd pic.twitter.com/UH8V9RyFHy
— PeckShieldAlert (@PeckShieldAlert) May 19, 2023

Following the incident, Swaprum’s Twitter, Telegram, and GitHub accounts were deleted. However, the Swaprum website remains operational as of the time of this report.

Further details provided by fellow blockchain security firm Beosin suggest that the deployer of Swaprum exploited the add() backdoor function to steal liquidity provider (LP) tokens staked by users. Subsequently, they removed liquidity from the pool for personal profit.

Swaprum on Arbitrum rugged for ~$3M.

The deployer of Swaprum used the add() backdoor function to steal LP tokens staked by users, then removed liquidity from the pool for profit.

One tx:https://t.co/qRXLhrAIqp pic.twitter.com/xf7vrciajN
— Beosin Alert (@BeosinAlert) May 19, 2023

A Twitter search for “Swaprum” reveals multiple tweets calling out smart contract auditors CertiK for their involvement. CertiK conducted an audit of the platform as recently as May 5, leading users to criticize the firm for seemingly endorsing Swaprum. The Swaprum website still displays the “audited by CertiK” logo.

Well done @CertiK another rug that’s comming from your audits.#swaprum @Swaprum #certik #scam #rug pic.twitter.com/cPlyx3GMU6
— Crypto Emprende (@cryptoemprende_) May 18, 2023

It’s important to note that CertiK’s security assessments focus solely on the provided source code and do not guarantee the implementation of their recommendations. In their audit, CertiK identified a “major” issue with Swaprum’s centralization. However, it appears that the backdoor-related upgrades to the project’s smart contracts occurred after the completion of the audit.

CertiK’s website has now labeled Swaprum as an “exit scam.”