defirisk.co
rubric v1.7.0

RocketSwap: Bruteforced server private keys → farming contract drain via proxy admin + high-risk permissions

RocketSwap lost $869K when attackers bruteforced their server to steal private keys, then used those keys to drain farming contracts through a proxy architecture that granted unlimited admin permissions.

Occurred 2023-08-14 Loss $869K Status closed

Summary #

RocketSwap suffered a DEX / AMM / Yield Farming on 2023-08-14, resulting in a loss of approximately $869K.

What happened #

RocketSwap lost $869K when attackers bruteforced their server to steal private keys, then used those keys to drain farming contracts through a proxy architecture that granted unlimited admin permissions.

Linked factors #

  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — root cause is key management and proxy permission architecture]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — farming contracts were newly deployed on Base] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — farming contracts were newly deployed on Base]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
  • RD-F-027 — causal : ★ Single admin EOA (not multisig, not timelock) [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay] || ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — farming contracts drained via internal admin address (privileged key holder action)]
  • RD-F-032 — related : Timelock duration on upgrades = 0 [via cross-hack: Factor 18: Single Admin Key With No On-Chain Delay]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — farming contracts drained via internal admin address (privileged key holder action)]
  • RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Unknown (comments disabled; Telegram paused during incident)]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — farming contracts were newly deployed on Base]