defirisk.co
rubric v1.7.0

Swaprum: Rug Pull via Malicious Contract Upgrade

Swaprum rugged $3M via a malicious contract upgrade — the backdoor wasn't in CertiK's audit scope, but the upgrade capability was, making this the fourth $1M+ rug of 2023 at an "audited" protocol.

Occurred 2023-05-18 Loss $3M Status closed

Summary #

Swaprum suffered a DEX / AMM on 2023-05-18, resulting in a loss of approximately $3M.

What happened #

Swaprum rugged $3M via a malicious contract upgrade — the backdoor wasn't in CertiK's audit scope, but the upgrade capability was, making this the fourth $1M+ rug of 2023 at an "audited" protocol.

Linked factors #

  • RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (malicious upgrade); structural risk in audited (upgradeable contract owned by team)]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious upgrade deployed immediately before drain] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious upgrade deployed immediately before drain]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
  • RD-F-027 — causal : ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — Contract upgrade via owner/admin function is the key action; monitoring for reward contract upgrades by the deployer address would surfa...]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Contract upgrade via owner/admin function is the key action; monitoring for reward contract upgrades by the deployer address would surfa...]
  • RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Anonymous — deleted all social media post-rug]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — standard AMM fork]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — malicious upgrade deployed immediately before drain]