StableMagnet: Malicious Unverified Library (SwapUtils) — Rugpull with Approval Drain

Summary #

StableMagnet suffered a Stablecoin AMM / Rugpull on 2021-06-24, resulting in a loss of approximately $27M.

What happened #

StableMagnet's Techrate-audited protocol drained $27M by deploying a different library than the one audited — BSCScan doesn't verify linked libraries, so the malicious code was hiding in plain sight.

Linked factors #

• RD-F-001 — causal : ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — the malicious SwapUtils library was not the code submitted for audit] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — the malicious SwapUtils library was not the code submitted for audit]
• RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (deployed library differed from audited source)]
• RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious library was the original deployment] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious library was the original deployment]
• RD-F-076 — related : Protocol age (Cat 5 — < 6 months age signal) [via dashboard_risk_factors/Protocol age: Very new (weeks old)]
• RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Anonymous — serial rugpullers, coordinated group]
• RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Curve/Saddle stableswap fork]
• RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious library was the original deployment]