- $3 million was siphoned from decentralised exchange Swaprum on Arbitrum yesterday.
- The protocol was audited by CertiK.
Developers behind Swaprum, a decentralised exchange on the buzzy Arbitrum blockchain, made off with millions of investor funds last night.
The protocol was audited by CertiK, the smart contract auditing firm that has recently come under fire for its failure to pinpoint potential rug-pull risks.
Damicale Shilling, a DeFi investor, raised concerns about Swaprum yesterday morning after analysing on-chain activity related to the protocol’s marketing efforts. “Guys, I have reason to believe that Swaprum is very dangerous,” he said.
By evening, DeFi Security, a security firm, confirmed a theft by the protocol’s developers was indeed in progress and put the lost figure at $1 million. A later assessment by blockchain security firm PeckShield later approximated the total loss at $3 million. The culprits laundered the funds through privacy protocol Tornado Cash, which helps obscure the traceability of funds.
Smart contracts, essentially the cornerstone of DeFi protocols, are generally immutable, and mostly can’t be altered after being deployed on the blockchain.
But Swaprum’s developers “left an upgradability feature in their smart contract, which they used to drain user funds,” Dyma Budorin, CEO of blockchain security firm Hacken, told DL News.
“The lack of smart contract audit report standards leads to such lame rugs,” he said.
Swaprum attracted mostly retail deposits with on-chain data showing more than 22,000 wallets holding the protocol’s token SAPR. The value of the coin has plummeted to near zero.
Another Certik audit bites the dust
Budorin said that CertiK’s report “highlighted the centralisation risk, but it didn’t affect the report’s score.” Smart contract audits alone do not mitigate such risks, he explained, “our industry needs an infrastructure-layer that consolidates all relevant security information on every project.”
Swaprum is the latest in a series of Certik-audited protocols to lose funds due to a critical vulnerability.
CertiK did not immediately respond to DL News’ request for comment. Swaprum could not be reached for comment.
Last month, another protocol called Merlin was drained by its developers to the tune of $1.8 million. This rug-pull triggered a debate about the role of code audits in DeFi security, as Merlin had been audited and awarded a high-security rating by CertiK just days prior to the incident.
Hugh Brooks, director of security operations at CertiK, told DL News at the time that “an audit is not a stamp of approval or a ‘pass’ or fail, it’s an objective review of a project’s code.”
“We always encourage users to read and understand audit reports before getting involved with a project,” he said.
DeFi protocols to use audits to signal trust. Merlin displayed on its now-defunct website that Certik audited the platform. Similarly, Swaprum highlighted its Certik audit on its website, which is now defunct. Its Medium blog, also defunct, also announced the Certik audit as an important milestone.
Swaprum’s developers requested an audit from auditor Paladin Blockchain Security, a firm representative said on Twitter. He said the protocol was refused service over the team’s unwillingness to disclose their real identities through a KYC procedure. KYC is “only for sus clients,” a representative of Paladin, who goes by Charles, cited the potential client as saying. “They didn’t reply afterwards which was a huge red flag,” he said.