July 3rd, 2021
On June 23, 2021, the team behind StableMagnet performed a rugpull. Using a novel technique, the owners were able to steal $27 million from the protocol’s users.
The StableMagnet rugpull was different from other rugpulls because it took advantage of a novel vector. Block explorers like Etherscan and BSCScan perform code verification that ensures that the source code posted to them matches the actual code stored on the blockchain.
However, as demonstrated by the StableMagnet rugpull, Etherscan and BSCScan do not perform verification of linked libraries when verifying the correctness of posted source code. This means that a smart contract can claim that it is using functions from one smart contract while actually using a different one. This lulls users into a false sense of security because they believe that they have reviewed a protocol’s source code and it looks legitimate.
The StableMagnet owners took advantage of this oversight to hide a backdoor in their smart contract that enabled them to drain value from the protocol. Also, the hidden backdoor enabled the attackers to transfer more tokens to all wallets that had approved StableMagnet, enabling the attackers to steal even more value from its users.
This incident used novel techniques to hide the functionality that made the rugpull possible. A few key takeaways include:
Before investing in or approving any crypto project, it’s important to do your research. This incident demonstrates that this isn’t as simple as reading the source code on a block explorer.