Back to all stories
MasterChef Mischief: Examining the Rug Pull in Swaprum Protocol
1/8/2024
Project name: Swaprum
Project type: Staking
Date of exploit: May 18, 2023
Asset loss: $ 3,000,000
Vulnerability: Rugpull
Date of audit report publishing: May 5, 2023
Conclusion: Out of Audit Scope
Details of the Exploit
Background
Swaprum project includes DEX and MasterChef-like staking contracts. Users can stake LP tokens into the MasterChef contract to get the reward.
Nature of the Vulnerability
- The masterchef-like staking contract is upgradeable.
- The project owner upgraded the staking implementation contract to a malicious version.
- In the updated implementation, the malicious function
add, which is different from the audited version, moves staked LP tokens and removes liquidity. A newly added functiongetTokenis invoked to mint Swaprum tokens for the deployer and sell them for profit.
CertiK Audit Overview
Conclusion
On May 18, 2023, the Swaprum protocol deployer rug pulled by upgrading the contract “MasterChef” contract to the malicious version and withdrew a significant quantity of LP tokens that staked inside the contract and mint a large amount of Swaprum token to drain the pool.
Related Stories
On 24 February, GambleFi project RiskOnBlast is thought to have become the first confirmed exit scam to occur on the Blast ecosystem, a layer-2 project on Ethereum.
3/29/2024
In this post, we detail a certain type of rug pull wherein scammers apparently create tokens out of thin air before dumping them on unsuspecting investors.
3/19/2024
On 6th January 2024, the MangoFarmSOL project conducted an exit scam leading to losses estimated around ~$1.32 million which is the largest exit scam that we have investigated in 2024 so far.
2/22/2024
