RocketSwap 472 ETH Exploit Sparks The Speculation of a Rug Pull

The crypto community has lashed out at the RocketSwap team after a 472 Ethereum (ETH) was taken following a private key compromise.

Coinbase Base drew enthusiasm from many developers and users when it debuted. The Layer 2 protocol launched with over 100 decentralized applications (dApps), but within a week, the projects are becoming a favorite target of scammers.

According to the Web3 security firm Beosin, hackers stole over 472 ETH (approx. $869,000) from the decentralized exchange (DEX) RocketSwap. 

The exploiters accessed the funds via a compromise in the private keys. Then they bridged the tokens to Ethereum through the Stargate bridge. The screenshot below shows the flow of the funds prepared by Beosin.

RocketSwap apologized to the users for the loss and explained:

“A brute force hack of the server was detected, and due to the proxy contract used for the farm contract, there were multiple high-risk permissions that led to the transfer of the farm’s assets.”

Furthermore, the project disabled comments on X (Twitter) and Telegram. The team faced heavy criticism from the community for disabling the communication after the exploit. An X (Twitter) user wrote:

“Probably the worst hack reaction I have ever seen. They shut down the Telegram and finish the tweet with:

“We are very sorry for your loss”

Like they don’t have anything to do with it”

The Total Value Locked (TVL) on RocketSwap is down by more than 25% in the past 24 hours. According to DefiLlama, the TVL currently stands at around $2.48 million after the sharp decline.

Irresponsible Security Standards

For Web3 projects, and even for individuals, the storage of private keys is the most essential security measure. Ideally, private keys or secret key phrases should be stored offline to minimize the chances of a compromise.

RocketSwap put the private keys on a server leading to the compromise. The poor security measure has invited widespread criticism from community members.

Some other security blunders by RocketSwap have also come to light following the recent exploit. On Aug. 8, a community member shared screenshots of deleted posts from RocketSwap, which showed the team admitting to transferring $69,000 worth of native tokens (RCKT) to scammers.

The scammers, disguised as KuCoin team members, claimed that they wanted to list the RCKT tokens and asked the team to send tokens for liquidity market making. The RocketSwap team realized they had been scammed due to the sell-off after sending the tokens.  

Community member Dashen De Silva believes the team sold tokens for their benefit and used “fabricated narrative as a cover.”

A Rug pull?

With two back-to-back incidents within eight days, the community suspects that the RocketSwap team might have conducted a rug pull.

An X (Twitter) user, Forgiving, believes that RCKT was a “hard rug.” They questioned the deployer’s change in proxy hours before the exploit. Forgiving wrote:

It was likely a pre-meditated planned rug

The community members are further suspicious as RocketSwap halted the mode of communications. There are also allegations that RocketSwap used to spoof the volumes.

With the RocketSwap exploit, some community members also point fingers at Coinbase Base due to multiple rug pull/hack incidents. 

On Aug. 1, another DEX on the Base network, LeetSwap, lost 340 ETH (approximately $600,000) due to a vulnerable function in the smart contract. Simultaneously, a scammer deployed a meme coin BALD on the Base network and later removed the liquidity, conducting a rug pull of over $23 million.

Following these incidents, a community member wrote:

“Base on-chain summer became base hard rug summer

Bald, leetswap, rocketswap and about 99% of contracts made on base.”

On Aug. 9, Coinbase launched the mainnet of its Layer 2 protocol Base. Within 24 hours, the network recorded over 136,000 daily active users. 

Got something to say about the RocketSwap exploit or anything else? Write to us or join the discussion on our Telegram channel. You can also catch us on TikTok, Facebook, or X (Twitter).

For BeInCrypto’s latest Bitcoin (BTC) analysis, click here.