DeFiLabs - REKT

The shitcoin casino claims another set of victims.

Yesterday, DeFiLabs rugged $1.6M from its users on BSC via a backdoor function in their staking contract.

The project describes itself as “A decentralized financeplatform managed by AI” with a “Secure Stable High-Yield Return Staking Pool”.

A full-house on low-effort-buzzword bingo.

Random, previously unheard-of projects rugging on BSC is nothing new.

Mostly, a few to a few hundred thousand dollars go missing, socials get deleted, and a handful of degenerate gamblers barely notice they’ve lost one of their many longshot bets.

But at this stage in the cycle, and with much of retail long gone…

…who’s still YOLOing into this stuff?

Credit: Beosin, HashDit

As with most low-effort BSC rugs, there is no sophisticated hack to report in this case.

The latest vPoolv6 contract contained the backdoor function withdrawFunds which allowed the funder address to drain the contract of user deposits.

The stolen funds include BSC-USD (the vast majority), Cake, wrapped BTC and ETH, and BUSD.

Exploiter address: 0xee08d6c3a983eb22d7137022f0e9f5e7d4cf0be2

Rug contract: 0xdEDbd1804569F369e33e453Ee311F0F97dCd0Bde

Example tx: 0xcd255e0d…

Funds ($1.6M) consolidated here: 0x53ccFbC90A3fCDAfe9a2a50F798bEE7CcB5461b6

It will come as no surprise that the project had been audited by Certik (who did point out centralisation, aka ruggability, issues), as well as Cyberscope.

However, neither audit covered the vPoolv6 contract, despite the fact that both audits were conducted after the contract’s publication.

DeFiLabs released a statement on both Twitter and Telegram stating that:

[the] platform is currently undergoing maintenance and updates. Unfortunately, we encountered an unexpected issue during this process. To ensure the safety of your assets and smooth operations, we have decided to temporarily suspend staking operations.

The message goes on to state that withdrawals are paused but, funnily enough, doesn’t mention the draining of the staking contract.

The team have promised an update in 48 hours…

…just enough time for the next rug to come along and everyone to forget.

Two months ago DeFiLabs helpfully published a ‘RISK WARNING!!’ to make sure users didn’t accidentally stray from their rug contract.

How considerate of them.

This incident is just one in a long line of rugpulls on BSC, with the last notable incident being the $2.36M lost on GMETA last week.

The ill-gotten gains of one rug are often being siphoned straight into the next project’s LP or used to pump the new token, according to BlockSec’s MetaSleuth.

It’s all so tiresome.

Multiple repetitions of the same bug.

Centralised platforms losing tens of millions to compromised keys.

Hacks and rugs on little-known BSC projects popping up every few days.

It feels like 2021 again here at rekt.news.

We are so back.

Right?

REKT는 익명 작성자들에 의한 공공 플랫폼이며, REKT에 작성된 관점이나 내용에 대해서 그 어떤 책임도 지지 않습니다.

기부 (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

disclaimer:

REKT는 당사 웹 사이트의 익명의 작성자 또는 REKT에 의해 게시되거나 관련된 서비스에서 게시되는 콘텐츠에 대해 어떠한 책임도 지지 않습니다. 당사는 익명 작성자들의 행동 및 게시물에 대한 규칙을 제공하지만, 익명의 작성자가 웹 사이트 또는 서비스에 게시, 전송 혹은 공유한 내용을 통제하거나 책임지지 않으며, 귀하가 웹 사이트 또는 서비스에서 직면할 수 있는 불쾌함, 부적절함, 음란함, 불법 또는 기타 해로운 콘텐츠에 대해서도 책임을 지지 않습니다. REKT는 당사 웹 사이트 또는 서비스 사용자의 온라인 또는 오프라인 행위에 대한 책임을 지지 않습니다.