Beetsfarm Finance, a Polygon-based yield farming project, has come under suspicion of fraud. RugDoc specialists say the developers stole more than $120,000 from users.
It happened…
🚨 https://t.co/ZsiObNQ375 finally rugged 🚨
0x369CaBe555716a3349d537DE71b3720D41aC1a1A
this is the wallet that they used.Total funds stolen: $100K and growing@0xPolygon
I hope you revoked the approval and withdrew your funds after our rug alert. ⛔️
— Rugdoc.io (@RugDocIO) June 17, 2021
RugDoc explained that their scanner, tuned to detect unverified smart contracts, rated Beetsfarm as a “high risk” project.
Contract verification confirms that the compiled code matches what is loaded on the blockchain. Under pressure from the community, the developers carried out the necessary procedure, after which RugDoc’s scanner rechecked the smart contract.
«[Сканер] незамедлительно проверил его снова, контракт имел больше тревожных индикаторов, чем мы когда-либо видели», — отметила команда сервиса.
RugDoc believes that Beetsfarm’s smart contract allows deposits and withdrawals to external wallets. After a user approves interaction with the contract, anyone can initiate a transaction from their wallet to the project’s administrators’ address.
2) The contract allowed anyone to deposit and withdraw for anyone’s wallet: After you approve the contract, anyone could thus force you to deposit additional funds. pic.twitter.com/oo2c9f7678
— Rugdoc.io (@RugDocIO) June 17, 2021
The project’s codebase also includes an emergencyWithdraw function. RugDoc specialists found a similar exploit with one important difference: instead of withdrawing assets to the user’s wallet indicated by the “_wallet” parameter, the function transferred them to the project administrators’ address labeled as “wallet”.
4) But the emergencyWithdraw had a very convenient typo: Instead of withdrawing the funds to the users «_wallet», it withdraws them to «wallet»… which is conveniently set to the admin’s wallet. pic.twitter.com/Dzj2yNBdea
— Rugdoc.io (@RugDocIO) June 17, 2021
According to DappRadar, Beetsfarm has 289 unique users, and the volume of transactions processed by its smart contract does not exceed $245,000. Almost all of the activity recorded by the service occurred on June 17.
Experts say the project’s administration stole a substantial sum thanks to the unlimited transfer function. User assets via emergency withdrawal were then moved to the address on the address, which at the time of writing contains more than $123,000 in various tokens.
Some users also reported that their LP tokens disappeared after making a deposit.
Yes!!!! Same problem!!
— tzappa (@tzappa9) June 18, 2021
There were no statements from Beetsfarm’s administration. The project’s Telegram channel was deleted, and its Twitter account has been marked as “restricted”.
Earlier in May, the DeFi100 protocol on the Binance Smart Chain was suspected of a $32 million fraud.
Follow ForkLog news on VK!