Another CertiK Audited Project Rugs as $3M Disappears From Arbitrum DeFi Exchange

DeFi project Swaprum has disappeared with client funds totaling $3 million in what appears to be a rug pull, just weeks after it was audited by CertiK. Now people are pointing fingers at CertiK, saying it approved “another rug pull.”

Security firm PeckShield said on Twitter that the money was in the form of Ethereum and the “scammers” used popular coin mixing app Tornado Cash to launder the funds. 

Swaprum, a decentralized exchange (DEX) which runs on Ethereum scaling solution Arbitrum, appears to now have deleted all its social media accounts. Its website, which allows users to swap digital coins and tokens without signing up, remains active. 

A rug pull happens when a developer launches a project that seems legitimate but then disappears with investor funds. Decentralized finance protocols—apps that want to automate what banks and brokerages do—get hit hard by hacks and rug pulls. This is because the sphere is new and experimental.

CertiK published its audit of the DEX earlier this month, saying that it had no critical risks but three major risks—including that the protocol was heavily centralized. 

CertiK has since been criticized on Twitter as a result. “As a [sic] audit company, CertiK is free to choose who they do business with,” TradingStrategy.ai co-founder Mikko Ohtamaa wrote. 

“CertiK made a deliberate business decision to approve another rug pull.” 

But CertiK has pushed back, saying that an audit isn’t a guarantee that a team has made all the changes it recommended.

“As an auditor, we cannot force projects to implement our recommendations, but we can clearly and publicly call out vulnerabilities where we find them,” a CertiK spokesperson told Decrypt. “We did this with Swaprum, and the audit report is freely accessible on our website.”

The company went on to explain how it thinks Swaprum was exploited, saying that a portion of the code was replaced with malicious code after the smart contract was audited.

“Instead of manipulating the audited MasterChef contract, the deployer replaced it with an unaudited malicious contract in order to carry out the rugpull,” the company said. “The vulnerability stems from the proxy upgradability (which we called out as a major vulnerability), rather than an issue with the smart contract that we audited.”

Just last month, another DEX audited by CertiK, zkSync-based Merlin, was drained of around $1.82 million. CertiK blamed the Merlin attack on “rogue developers.”

In a post on Twitter, CertiK said that, “Initial investigations indicate that the rogue developers are based in Europe, and we are working with law enforcement to track them down,” and urged them to accept a 20% white hat bounty. Merlin itself accused “several members of the Back-End team” of draining its contracts in a Twitter post.

Editor’s Note: This post was updated to include comment from CertiK. The headline was also changed to reflect the fact that CertiK audited, but did not certify, Swaprum.