Yesterday, a shockwave passed through the decentralized finance (DeFi) industry as Swaprum, a decentralized exchange based on the Arbitrum blockchain, allegedly made off with about $3 million of investor funds. Swaprum, known for promising potential annual percentage yields up to 100% and offering high farming rewards and low swapping fees, recently attracted over 22,000 wallets holding the protocol’s token, SAPR.
DeFi investor, Damicale Shilling, was the first to sound the alarm after observing an alarming pattern of on-chain activity tied to the protocol’s promotional efforts. DeFi Security, a security firm, soon validated the concerns, confirming that Swaprum’s developers’ theft was underway, initially estimating the losses at around $1 million.
As the day ended, blockchain security firm PeckShield revised the estimated loss, placing it at $3 million. The devious culprits exploited the privacy protocol Tornado Cash, a service designed to obscure the traceability of funds, to launder the stolen loot.
A flawed audit and the fallout
The fallout from the rug-pull incident has been swift and devastating. The value of SAPR has plummeted almost entirely, leading to widespread concern amongst the retail investors who were the primary holders of the protocol’s token.
In the aftermath of the incident, attention has quickly turned to CertiK, the smart contract auditing firm that signed off on Swaprum’s protocols. CertiK’s role in auditing Swaprum has highlighted the importance of robust smart contract audit standards, a point emphasized by Dyma Budorin, CEO of blockchain security firm Hacken.
Budorin remarked, “The lack of smart contract audit report standards leads to such lame rugs.” However, the story might not be as straightforward as it initially seems. It appears the Swaprum developers exploited an upgradability feature left in their smart contract to drain user funds – an issue that was not picked up in the audit report.
The credibility of smart contract auditors is again in the spotlight, as this incident follows last month’s rug-pull event involving the protocol Merlin, which lost $1.8 million despite having recently passed a CertiK audit. Such incidents underline the necessity of establishing an infrastructure layer that consolidates comprehensive security information on all projects, thereby helping to guard against such fraudulent activities.
CertiK’s website has flagged Swaprum as an exit scam. Also, Swaprum’s social media accounts have disappeared, leaving a chilling silence where a bustling exchange once stood. The DeFi community now waits for answers and actions to prevent similar occurrences in the future. After all, the reputation and trust that underpin the DeFi landscape are at stake