In May 2023, Swaprum, an Arbitrum-based project, carried out a rug pull. The founders of the project stole an estimated $3 million from the project’s users.
Inside the Attack
Rug pulls typically take advantage of a backdoor function built into a project’s smart contracts that allows the project team to drain the value deposited within the project. In this case, the founders took advantage of a function named add() to steal the liquidity pool (LP) tokens that users staked in the protocol.
With control over the LP tokens, the founders were able to drain value from the project’s pool. The stolen tokens were then transferred to Ethereum via various blockchain bridges and then sent to Tornado Cash.
After the attack was complete, the attacker deleted their social media accounts. As a result of the attack, the value of the $SPAR token fell to zero.
Lessons Learned From the Attack
Rug pulls are an unfortunately common occurrence in the DeFi space. If projects have a built-in backdoor function, the founders can exploit it to steal from the protocol.
Decentralization is essential to protecting against rug pulls. If control over the protocol is managed with a multi-signature wallet or a decentralized governance scheme, then it is more difficult to drain value from the protocol.