SwapRum Rug Pull: Difference between revisions

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

SwapRun Website

SwapRum Finance offered a next generation decentralized exchange. They obtained an audit from CertiK but only partially resolved some of the issues in their project. Then they used one of those issues to execute a rug pull and withdraw all funds form the liquidity pool, which were then brought out through TornadoCash.

This is a global/international case not involving a specific country.^{[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28][29][30][31][32][33][34][35][36][37][38][39][40][41][42][43][44][45][46][47][48][49][50][51]}

About SwapRum

"Next Generation Decentralized Exchange"

"Swaprum is a next-generation decentralized exchange with a range of trading tools and potential earnings of up to 100% APY. Explore limitless possibilities in the world of DeFi with Swaprum."

The Swaprum application was promoted as a way that one could obtain free Arbitrum tokens^[52].

Claim Tokens For Free

Free ARB tokens for everyone

Join Swaprum Free Pool and get free ARB tokens every day! Become a part of the platform's community and earn cool rewards with your friends. Read the detailed terms below.

"Swaprum (@Swaprum) on Arbitrum rugged by its founders for ~$3M"

"The deployer of Swaprum utilized a backdoor function, add(), to steal LP tokens staked by users

Following the theft, liquidity was swiftly stolen from the pool by the deployer"

"Then, the deployer of Swaprum transferred all the funds to Ethereum network using cross chain bridges such as @MultichainOrg, @AcrossProtocol, and @CelerNetwork. After successfully bridging 1620 $ETH through these platforms, he funneled it into @TornadoCash."

"At this time @Swaprum has deleted all their social media accounts and groups."

"As a result of this rugpull, the token $SAPR has plummeted by 100%. The scammers managed to escape with approximately 1,628 ETH, equivalent to around $2.95 million."

"CertiK AGAIN! Why in the hell are these degens giving such "projects" money? It's frustrating to see all these scammers since 2010, hello braincell."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

• Known history of when and how the service was started.
• What problems does the company or service claim to solve?
• What marketing materials were used by the firm or business?
• Audits performed, and excerpts that may have been included.
• Business registration documents shown (fake or legitimate).
• How were people recruited to participate?
• Public warnings and announcements prior to the event.

Don't Include:

• Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
• Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The interface provided users with a balance in ARB, and claimed that withdrawals would be processed after 0.5 ARB were accumulated^[53][54].

Multiple users on Twitter expressed support and excitement for the project^[55][56], while others helped to promote it^[54][57]. In fact, it was reported that the Telegram account of the project was full^[58].

good project...and good investasi.....bravo @Swaprum

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

• When the service was actually started (if different than the "official story").
• Who actually ran a service and their own personal history.
• How the service was structured behind the scenes. (For example, there was no "trading bot".)
• Details of what audits reported and how vulnerabilities were missed during auditing.

Limitations of Interface

There were multiple reports prior to the rug pull of issues with the provided Swaprum interface^[59][53], including failures to load the website^[52] and a reported inability to withdraw funds^{[58][60][61][62]}.

Why does the claim not accumulate in the balance section?

Why hasn't the token been deposited into my wallet after a few days of requesting a withdrawal?

I want you to help, even in withdrawing, there is a pending order.

Bro dont pay scam site withdrawal transaction dont work 100% scam

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

^[75]

Beosin Alert Analysis

Beosin published an alert about the situation on Twitter^[68].

Swaprum on Arbitrum rugged for ~$3M.

The deployer of Swaprum used the add() backdoor function to steal LP tokens staked by users, then removed liquidity from the pool for profit.

2/ The project has upgraded the the normal liquidity collateral reward contract to a contract containing backdoor functions.

3/ The backdoor function add() will transfer LP tokens from the contract to the _devadd address. By querying the _devadd address, it will return the ‘Swaprum:Deployer’ address.

4/ The Swaprum: Deployer uses the stolen LP tokens in the previous step to remove liquidity.

1,620 $ETH has already sent to Tornado Cash.

WisperCrypto Summary

WisperCrypto published a summary of the situation^[72].

Breaking News!

1. Swaprum DEX On #Arbitrum Rug Pulls $3M, SAPR Token Crashes 100%

In a shocking turn of events, the decentralized exchange #Swaprum operating on Ethereum Layer 2 network #Arbitrum has orchestrated a treacherous exit scam, leaving users devastated and questioning the safety of the crypto industry.

The Swaprum team slyly removed the liquidity tied to their native coin, SAPR, causing a significant drop in its price. Unsuspecting investors were left holding worthless tokens, resulting in a loss of approximately 1,628 ETH ($3M) in user deposits.

To further obfuscate the stolen funds, the Swaprum team transferred them to Ethereum and employed the notorious ETH mixer service Tornado Cash. This service masks the transaction trail, making it difficult for authorities to trace the flow of funds

The deceitful team swiftly deleted their social media presence on Twitter, Telegram, and GitHub, leaving users without any means of contact. However, the project's official website, which served as the interface for the protocol, is still accessible.

Subsequent investigations by Beosin's security analysts revealed that Swaprum's smart contract contained a covert backdoor mechanism, raising concerns about the project's intentions from the start.

This incident adds to the growing list of crypto scams, highlighting the urgent need for increased security and regulation within the industry. Investors must remain vigilant and exercise caution when engaging with decentralized platforms.

Total Amount Lost

The total amount lost has been estimated at $2,950,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Reactions on Twitter

The news was widely reported on Twitter^{[65][76][77][78][79][80][81][82][83]}.

swaprum finance deactivate their twitter account?

Important Alert! Crypto traders, beware! Swaprum, an exchange on Arbitrum network, has been exposed as a decentralized scam. The team behind it has shamelessly withdrawn approximately $3 million from customer deposits

Breaking: Swaprum #DEX On #Arbitrum Rug Pulls $3M, SAPR Token Crashes 100%

Just got rugged on Swaprum. Site and discord is still up. A lot of work for 1 million

JUST IN: Swaprum, a decentralized exchange (DEX) built on @arbitrum ruggpulls with $3 million users deposit. According to blockchain security firm PeckShield, the team has already laundered part of the funds on Tornado Cash.

The #Swaprum rug pull has left investors devastated with a jaw-dropping $3 million loss in this #defi scam. As a social media marketer, I urge everyone to stay vigilant while investing in the crypto market. Like and retweet to spread the word!

@Swaprum he deceived us all, we fulfilled all the conditions, but they threw us .. do not believe this is ophirists

A week ago I reported a bug, which they never paid for, it was obvious from afar that it was a trap. the truth is that they made a well-organized trap

I know from the start Swaprum was a scam project just after visiting their token page on @CoinMarketCap since it clearly had a warning sign of a rugged token. Ironically I joined their group to get free ARB but after I posted about their token they kicked me out lol.

Backlash Against CertiK Auditor

There was considerable backlash against CertiK for approving the team's smart contract^[84].

Wtf @CertiK ? Did they bought the audit?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Audit Security Score Updated

The security score of the Swaprum project on CertiK was updated to "Exit Scam" status^[75].

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References