QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$27 000 000 USD
JUNE 2021
GLOBAL
STABLEMAGNET
DESCRIPTION OF EVENTS
"Stable Magnet [was] a newly launched Farming Protocol on Binance Smart Chain. [It was a] stablecoin focused AMM protocol where users c[ould] trade with low slippage and fees. Stable Magnet launched with 3pool liquidity including BUSD, USDT and USDC, to provide main trading support for widely used stable pegged assets."
"Earn passive income with low risk stablecoin pegged assets. The Stable Magnet special stable swap algorithm which is designed for assets pegged to same value. You only need to pay 0.035% (lowest fee on binance smart chain) to swap USD on their website."
RugDoc described that the project was "Complex custom code based on Belt.fi/saddle.fi – very similar to Dopple, with manual minting removed. A new project with lots of complex code means a lot of opportunity for bugs/exploits. Needs a pro audit and bug testing."
"A few hours before the attack, [Rekt] received a message from an anonymous source suggesting that StableMagnet would rugpull. We couldn’t verify the claims, so our hands were tied."
"StableMagnet rug pulled over $22 million worth of assets. The scammers swap their SwapUtils library for their swap contract to an unverified linked library. They used code in the unverified linked library to drain all tokens from the swap contract. We recommend users unstake and revoke token approvals."
"StableMagnet owners rug pulled $27M using a backdoored library. Interestingly, the scam takes advantage of a weakness in Etherscan-based explorers which do not verify linked library source code."
"The rugpull from StableMagnet came thanks to a novel attack method. The problem cited by Rugdoc is that neither Etherscan nor BscScan verify linked library source code. This allowed the scammers at StableMagnet to deploy a different code library than the one cited in the source code. In this manner StableMagnet’s SwapUtils library wasn’t checked."
"RugDoc said, “The unverified linked library did not only contain code to drain all pairs, it also contained code to transfer more tokens to everyone who had approved StableMagnet. Please revoke your approvals as soon as possible using debank.com... Dopple and StableGaj are based upon the same protocol and their SwapUtils libraries are also UNVERIFIED. For the time being we recommend UNSTAKING and REVOKING APPROVALS until these contracts are verified.”"
"The BSC on-chain project StableMagnet ran away and lost USD 22 million." "StableMagnet [then started] draining funds directly from user wallets - if you have interacted with StableMagnet at all you must revoke all permissions now."
"PeckShield stated, “StableMagnet Swap has been approved by many users to move funds: If you interacted with it before, REVOKE NOW”, before estimating that a huge number of users could still be at risk. “Our calculation shows there are still 1000+ users who have non-zero allowance on the rugpulled StableMagnet.”"
"At present, the websites and social media handles of Stablemagnet are not on the server and subsequently down."
"They used the Any Swap Network, a notorious network for rug pulling, to remove the money within the twinkle of an eye."
"An anonymous source which spoke to REKT claims that the people behind the StableMagnet rugpull have also been behind a number of other similar crimes including Moon Here and WenMoon. There is no further way to corroborate that information at this time. Victims of the rugpull have now formed a community support group on Telegram and are seeking to piece together what information they can about the scammers."
With an anonymous team, StableMagnet built a large complex smart contract, which promised a platform to trade with low slippage and fees.
In reality, they were using a malicious library which included some code that later allowed them to take control of all user funds, including both the liquidity pool and additional funds that some users may have had in their wallets, and given the contract permission to access.
No audit was done, and users who participated in the project could not reasonably look at all the dependencies and determine that there were issues. As a result, many users lost all their invested funds.
HOW COULD THIS HAVE BEEN PREVENTED?
There are a number of ways to prevent this issue.
Having an anonymous team removes any incentive to avoid scamming users, as the team or individual can get away with impunity.
Storing assets in a smart contract hot wallet is not ever as secure as assets which are stored in offline multi-signature wallets. Having a multi-signature wallet held by multiple trusted competent individuals would have prevented any one person from taking the funds.
SlowMist Hacked - SlowMist Zone (Jun 26)
CertiK Blockchain Security Leaderboard (Jun 1)
No Title (Jul 24)
Rekt - StableMagnet - REKT (Jul 30)
Rug Pull Alert: StableMagnet Stole About $22m - CoinBench (Aug 1)
@MyCrypto Twitter (Aug 1)
Stable Magnet Overview - Smart Liquidity Network (Aug 1)
Stable Magnet Token (SMAG) Token Tracker | BscScan (Aug 1)
StableMagnet – RugDoc (Aug 1)
StableMagnet and Others Rugpull $22M in Stablecoin Through Unverified Swap Code (Aug 1)
@peckshield Twitter (Aug 1)
Telegram: Contact @StableMagnet (Aug 1)
Binance Transaction Hash (Txhash) Details | BscScan (Aug 1)
StableMagnet (Aug 2)
Explained: The StableMagnet Rugpull (June 2021) - Halborn (Aug 2)
