Developers of decentralized exchange (DEX) Swaprum have drained $3 million in ether (ETH) tokens from the protocol in an apparent rugpull, otherwise known as an exit scam.

The exchange, launched on the Ethereum layer-2 network Arbitrum, offers high farming rewards, low swapping fees, and potential earnings of up to 100% annual percentage yield (APY).

Swaprum Rugpulls Users for $3M

Blockchain security firm Peckshield flagged the incident on Friday, disclosing that approximately 1,628 ETH, worth roughly $3 million, was drained from Swaprum’s liquidity pools. Onchain data shows that the exit scam was executed in the late hours of Thursday.

The team first removed the liquidity provided for SAPR, the platform’s native token, on the exchange and sold the assets for ETH. The funds were subsequently transferred from Arbitrum to Ethereum and then moved to cryptocurrency mixer Tornado Cash.

A deeper analysis by blockchain security platform Beosin revealed that the deployer of the Swaprum smart contract added a backdoor function to enable the theft of liquidity pool tokens staked by users. The deployer used the add() function to drain the pool for their profit.

Beosin further explained that the Swaprum team had upgraded the normal liquidity collateral reward contract to another containing backdoor functions.

“The backdoor function add() will transfer LP tokens from the contract to the _devadd address. By querying the _devadd address, it will return the ‘Swaprum:Deployer’ address. The Swaprum: Deployer uses the stolen LP tokens in the previous step to remove liquidity,” the security platform stated.

SAPR Tok