The developer of ArbiSwap, a decentralized exchange (DEX) that operates on the Arbitrum network, has reported that it has been rugged by whom they believe to be their developers.
The vulnerability was introduced into the system due to the swapping of the contract, which contained a recoverToken function. This function allowed the developer to recover user funds and send them to their wallet. The liquidity providers not native to the pool were intended to be safe from the attack, as the target of the rug pull was pool2, which held all of the stolen funds.
The exploit gives its victims access to a router address that can be used to drain their liquidity. Interestingly, the person who pulled the rug earned 85 ETH by mint dumping on the ARBI/USDC LP pool but forgot about the ARBI/WETH pool. Because of this action, an arbitrage bot could earn 112 thousand dollars for pool2 farmers.
Despite the hack, the funds of those who deposited them in the initial contract ending with 392B4 have been preserved. Additionally, users can interact with the contract directly to revoke permissions, withdraw funds, and maintain the safety of their assets.
Rug pulls, or exit scams, are prevalent in decentralized finance (DeFi). To carry out these attacks, malicious actors generate contracts or DEXes and then drain user funds using various methods, including a “recover” function.
The vulnerability has harmed the reputation of Arbitrum and may cause users to lose trust in the entire chain. However, this is not the first time a DEX has been hacked. Furthermore, the DeFi space is still in its early stages, which makes it susceptible to attacks of this nature.
The recent denial of service attack against ArbiSwap highlights the importance of users exercising caution when utilizing DEXes and other decentralized exchange platforms. Before depositing funds on any platform, conducting research and verifying the platform’s legitimacy is essential. This is especially important in popular chains like Arbitrum.