MasterChef Mischief: Examining the Rug Pull in Swaprum Protocol

报告 ·事件分析 · 2024年1月8日

Project name: Swaprum

Project type: Staking

Date of exploit: May 18, 2023

Asset loss: $ 3,000,000

Vulnerability: Rugpull

Date of audit report publishing: May 5, 2023

Conclusion: Out of Audit Scope

Details of the Exploit

Background

Swaprum project includes DEX and MasterChef-like staking contracts. Users can stake LP tokens into the MasterChef contract to get the reward.

Nature of the Vulnerability

The masterchef-like staking contract is upgradeable.
The project owner upgraded the staking implementation contract to a malicious version.
In the updated implementation, the malicious function add, which is different from the audited version, moves staked LP tokens and removes liquidity. A newly added function getToken is invoked to mint Swaprum tokens for the deployer and sell them for profit.

CertiK Audit Overview

Screenshot 2024-01-08 at 6.09.50 AM

Conclusion

On May 18, 2023, the Swaprum protocol deployer rug pulled by upgrading the contract “MasterChef” contract to the malicious version and withdrew a significant quantity of LP tokens that staked inside the contract and mint a large amount of Swaprum token to drain the pool.

相关博客

技术博客 ·技术洞察

Threshold Cryptography IV: Multiplicative-to-Additive (MtA) Protocol and Paillier Encryption Scheme

In this post, we provide a detailed examination of the MtA protocol, which utilizes the additively homomorphic properties of the Paillier encryption scheme to facilitate the exchange of encrypted secret shares among the participating parties.

2025年8月10日

博客 ·事件分析

Cork Protocol Incident Analysis

On May 28, 2025, asset-pegged insurance CorK Protocol suffered a ~$12M security breach. The attacker exploited a lack of parameter checks, to set up a fake market, and the relatively open access of its AMM extension (CorkHook) to induce double counting of derivative token weETH8DS-2 on two markets, and acquire a large amount of derivatives which they redeemed for 3,761 wstETH.

2025年5月29日

报告 ·行业研究

Evil in the Shadows: Unveiling the Chaos in Ethereum’s Token Ecosystem

In the Web3 space, new tokens are constantly emerging. Have you ever wondered how many new tokens are issued each day? And more importantly, are these new tokens safe? Over the past few months, CertiK's security team has identified numerous cases of rug pull transactions. Notably, all of the tokens involved in these cases were newly listed on the blockchain.

2025年1月9日