$3 million in client funds wiped out via alleged Swaprum DEX carpet pull

Arbitrum-based decentralized exchange (DEX) Swaprum has reportedly performed a back-pull on its users, wiping $3 million worth of customer deposits off the platform.

A back-pull or exit scam happens when a seemingly legitimate project rakes in a certain amount of investment or user deposits before immediately shutting everything down, drawing capital and disappearing into the distance – if they don’t cover their tracks sufficiently, or course .

According to a May 19 tweet from the alert-focused account of blockchain security firm Peck Shield, the adversaries have stolen 1,628 Ether (ETH) — worth about $2.95 million at current prices — from Swaprum’s liquidity pools, bridged to Ethereum and then “laundered”. almost all of those funds through cryptomixer Tornado Cash.

#PeckShieldAler #withdrawal @Swaprum on #arbitrum robust ~ $3 million, $SAPR decreased by -100%. @Swaprum has already deleted his social accounts/groups.
The scammers bridged ~1,628 $ETH Unpleasant #Ethereum and laundered 1,620 $ETH to Tornado Cash pic.twitter.com/UH8V9RyFHy

— PeckShieldAlert (@PeckShieldAlert) May 19, 2023

Following the incident, Swaprum’s Twitter, Telegram, and Github accounts have all been deleted, but Swaprum’s website is still up and running at the time of writing.

To add additional context to the incident, fellow blockchain security firm Beosin claimed that Swaprum’s “user used the add() backdoor function to steal LP [liquidity provider] tokens staked by users and then liquidity removed from the pool for profit.

This was apparently made possible by the Swaprum developer team reportedly “upgrading the normal liquidity collateral reward contract to one with back door features”.

3/ The add() backdoor function will transfer LP tokens from the contract to the _devadd address. Retrieving the _devadd address returns the ‘Swaprum:Deployer’ address. pic.twitter.com/Z1rZmFSf5R

— Beosin Alert (@BeosinAlert) May 19, 2023

A keyword search for “Swaprum” on Twitter turns up several tweets from people calling out smart contract auditors CertiK throughout the trial, as the company had audited the platform on May 5.

Related: Can you recover stolen Bitcoin from crypto scams?

Their complaints essentially claim that CertiK signed up on the platform by checking the platform, while the “audited by CertiK” logo is still on the Swaprum website.

Well done @CertiK another rug that comes from your audits.#swaprum @Swaprum #certification #scam #carpet pic.twitter.com/cPlyx3GMU6

— Crypto Emprende YT (@cryptoemprende_) May 18, 2023

However, it’s worth noting that, according to CertiK’s disclaimers, it “performs security assessments only on the source code provided” and cannot guarantee that its recommendations are integrated. During the audit, CertiK identified a “major” problem with how centralized Swaprum was.

Though it also appears that the backdoor-related upgrades to the project’s smart contracts were done after the audit was completed.

As it stands, CertiK’s website has now flagged Swaprum as an “exit scam”.

magazine: $3.4 Billion Bitcoin in a Popcorn Can — The Story of the Silk Road Hacker