Protect Your Project Today
Strengthen your project with the largest web3 security provider.
A CertiK security expert will review your request and follow up shortly.

MasterChef Mischief: Examining the Rug Pull in Swaprum Protocol

Reports ·Incident Analysis ·
MasterChef Mischief: Examining the Rug Pull in Swaprum Protocol

Project name: Swaprum

Project type: Staking

Date of exploit: May 18, 2023

Asset loss: $ 3,000,000

Vulnerability: Rugpull

Date of audit report publishing: May 5, 2023

Conclusion: Out of Audit Scope

Details of the Exploit

Background

Swaprum project includes DEX and MasterChef-like staking contracts. Users can stake LP tokens into the MasterChef contract to get the reward.

Nature of the Vulnerability

  • The masterchef-like staking contract is upgradeable.
  • The project owner upgraded the staking implementation contract to a malicious version.
  • In the updated implementation, the malicious function add, which is different from the audited version, moves staked LP tokens and removes liquidity. A newly added function getToken is invoked to mint Swaprum tokens for the deployer and sell them for profit. Screenshot 2024-01-08 at 6.08.31 AM

CertiK Audit Overview

Screenshot 2024-01-08 at 6.09.50 AM

Conclusion

On May 18, 2023, the Swaprum protocol deployer rug pulled by upgrading the contract “MasterChef” contract to the malicious version and withdrew a significant quantity of LP tokens that staked inside the contract and mint a large amount of Swaprum token to drain the pool.

Related Blogs

Threshold Cryptography IV: Multiplicative-to-Additive (MtA) Protocol and Paillier Encryption Scheme
Technical Blogs ·Technical Insights

Threshold Cryptography IV: Multiplicative-to-Additive (MtA) Protocol and Paillier Encryption Scheme

In this post, we provide a detailed examination of the MtA protocol, which utilizes the additively homomorphic properties of the Paillier encryption scheme to facilitate the exchange of encrypted secret shares among the participating parties.

Cork Protocol Incident Analysis
Blogs ·Incident Analysis

Cork Protocol Incident Analysis

On May 28, 2025, asset-pegged insurance CorK Protocol suffered a ~$12M security breach. The attacker exploited a lack of parameter checks, to set up a fake market, and the relatively open access of its AMM extension (CorkHook) to induce double counting of derivative token weETH8DS-2 on two markets, and acquire a large amount of derivatives which they redeemed for 3,761 wstETH.

Evil in the Shadows: Unveiling the Chaos in Ethereum’s Token Ecosystem
Reports ·Industry Research

Evil in the Shadows: Unveiling the Chaos in Ethereum’s Token Ecosystem

In the Web3 space, new tokens are constantly emerging. Have you ever wondered how many new tokens are issued each day? And more importantly, are these new tokens safe? Over the past few months, CertiK's security team has identified numerous cases of rug pull transactions. Notably, all of the tokens involved in these cases were newly listed on the blockchain.