DeFiLabs - REKT

The shitcoin casino claims another set of victims.

Yesterday, DeFiLabs rugged $1.6M from its users on BSC via a backdoor function in their staking contract.

The project describes itself as “A decentralized financeplatform managed by AI” with a “Secure Stable High-Yield Return Staking Pool”.

A full-house on low-effort-buzzword bingo.

Random, previously unheard-of projects rugging on BSC is nothing new.

Mostly, a few to a few hundred thousand dollars go missing, socials get deleted, and a handful of degenerate gamblers barely notice they’ve lost one of their many longshot bets.

But at this stage in the cycle, and with much of retail long gone…

…who’s still YOLOing into this stuff?

Credit: Beosin, HashDit

As with most low-effort BSC rugs, there is no sophisticated hack to report in this case.

The latest vPoolv6 contract contained the backdoor function withdrawFunds which allowed the funder address to drain the contract of user deposits.

The stolen funds include BSC-USD (the vast majority), Cake, wrapped BTC and ETH, and BUSD.

Exploiter address: 0xee08d6c3a983eb22d7137022f0e9f5e7d4cf0be2

Rug contract: 0xdEDbd1804569F369e33e453Ee311F0F97dCd0Bde

Example tx: 0xcd255e0d…

Funds ($1.6M) consolidated here: 0x53ccFbC90A3fCDAfe9a2a50F798bEE7CcB5461b6

It will come as no surprise that the project had been audited by Certik (who did point out centralisation, aka ruggability, issues), as well as Cyberscope.

However, neither audit covered the vPoolv6 contract, despite the fact that both audits were conducted after the contract’s publication.

DeFiLabs released a statement on both Twitter and Telegram stating that:

[the] platform is currently undergoing maintenance and updates. Unfortunately, we encountered an unexpected issue during this process. To ensure the safety of your assets and smooth operations, we have decided to temporarily suspend staking operations.

The message goes on to state that withdrawals are paused but, funnily enough, doesn’t mention the draining of the staking contract.

The team have promised an update in 48 hours…

…just enough time for the next rug to come along and everyone to forget.

Two months ago DeFiLabs helpfully published a ‘RISK WARNING!!’ to make sure users didn’t accidentally stray from their rug contract.

How considerate of them.

This incident is just one in a long line of rugpulls on BSC, with the last notable incident being the $2.36M lost on GMETA last week.

The ill-gotten gains of one rug are often being siphoned straight into the next project’s LP or used to pump the new token, according to BlockSec’s MetaSleuth.

It’s all so tiresome.

Multiple repetitions of the same bug.

Centralised platforms losing tens of millions to compromised keys.

Hacks and rugs on little-known BSC projects popping up every few days.

It feels like 2021 again here at

We are so back.


share this article

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C


REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.