Around $22.2 (currently 27 and increasing) BUSD was rug pulled from StableMagnet Swaps liquidity pool on 23rd June 2021. This is an analysis of the exploit….
Addresses
- Rug Pull Transaction : 0xf0ba46c8a20e1e75ad382e42c509bf71393e1b3b90326165c747a5d3cc5d967c
StableMagnet Swap Contract: 0xb89e9365cb5bacfcf4a4b0386dfad45c3b4d3258
- SwapUtils Library: 0xE25d05777BB4bD0FD0Ca1297C434e612803eaA9a
- BUSD sent to BNC: Txn’s
- Tether on EC: Txn’s
- Tether to DAI: Txn’s
Overview
The protocol orgs managed to rugpull 22.2 million dollars
This is the tranasction that the intiated the rugpull which included 3 token transfres totaling to 22.2 million dollars worth.
Following thw witdrawal all funds were split and transfereed to multiple wallets and converted to tether and finally converted to DAI
Transfer Of Funds
The following is the rough steps of the transactions that occurred:
Exploit Analysis
SO as we can see the main exploit occured in an external call to the StableMagnet contract.
This external call was to a library called SwapUtils which had a method which enabled the orgs to transfer all the liquidity to their own wallet.
The attackers took advantage of the fact that the block explorers only verify the given contracts source code and not of the libraries which it may be importing this enabled them to have hidden functions as the code for this contract was not public.
Not only did it have method to enable transfer of funds it also had the utility to keep extracting even more funds from the wallets of those users which had approved StableMagnet to deduct the set allownace in return for more tokens.
Prevention
This rug pull highlights certain flaws..
One we should never trust the verified check mark, it just verifies the code supplied to it and even if there is no use of external libraries in the code, verification is no guarentee towrds the safety of the code in the contract.
This rug pull was an example of a hidden transfer which is not visible to the public but when executed transfers all the liquidity to the owners contract/wallet.
Again this calls for stronger awareness on the part of investors especially in conducting at least a brief audit of the token into which they are investing or at least going thorugh the audit performed by a third party and to check if it seems legitimate and if all the issues mentioned have been confirmed with proof by the orgs that they have been fixed.