Swaprum

Amount Lost: $2,915,567.00
Funds Returned: $0.00
Category: Exchange (DEX)
Date: 2023-5-18

Quick Summary

Swaprum, an Arbitrum-based DEX project, experienced a rugpull by the deployer. The total funds lost reached 2,915,567 $USD.

Details of the Exploit

Swaprum is a decentralized exchange (DEX) on the Arbitrum network with its token $SAPR. An investigation revealed that Swaprum was subjected to a rugpull by its own deployer who had privileged access to LPs in multiple pools and $SAPR token minting.

The exitscam consisted of two main parts:

Liquidity removals on various pools such as USDT/WETH ($241k), USDT/USDC ($280k), ARB/WETH ($280k), ARB/USDC($126K), WOM/USDT($49K) and etc.
Liquidity removal related to $SAPR token where initially 800k $SAPR were minted directly into scammer's wallet address followed by direct liquidity draining from SAPR/WETH pool for another 500K $SAPR tokens plus ~$94K USD worth of WETH.

Later the attacker deployed a malicious upgrade for the SAPR Controller Proxy contract which allowed to create additional 200M new $SAPR tokens out of thin air via two separate transactions.

Finally, all available liquidity in Swaprum's SAPR/WETH pool was drained using newly created tokens leaving it empty.

The total funds lost reached 2,915,567 $USD and were transferred to another EOA address in two transactions for 1,617.7 $ETH. Consequently, all the stolen funds were transferred through TornadoCash or bridged via Celer Network and Multichain Bridge.