DeFiLabs: Backdoor Function in Staking Contract (Insider Rug Pull)

Summary #

DeFiLabs suffered a Yield / Staking on 2023-07-27, resulting in a loss of approximately $2M.

What happened #

DeFiLabs drained $1.6M from its own BSC staking contract via a hidden `withdrawFunds` backdoor function — an unaudited contract version that both Certik and Cyberscope had examined (but not covered) after it was already deployed.

Linked factors #

• RD-F-001 — causal : ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: N — vPoolv6 was not in scope for either Certik or Cyberscope, despite being the active user-facing contract] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: N — vPoolv6 was not in scope for either Certik or Cyberscope, despite being the active user-facing contract]
• RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — vPoolv6 not in audit scope]
• RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — vPoolv6 was a new contract version, deployed and actively used but never audited] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — vPoolv6 was a new contract version, deployed and actively used but never audited]
• RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: None mentioned]
• RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Anonymous — typical BSC rug profile; team disappeared post-rug]
• RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — vPoolv6 was a new contract version, deployed and actively used but never audited]