Explained: The DefiLabs Rug Pull (July 2023)

AI. In July 2023, the platform experienced a rug pull in which the project team drained an estimated $1.4 million from the project’s pools.

Inside the Rug Pull

On July 27, 2023, the DefiLabs team posted a letter stating that the platform was undergoing maintenance, resulting in them temporarily blocking staking. The claim is that user funds would be safe and available during the emergency upgrade.

Behind the scenes, the team used a backdoor function named withdrawFunds to drain about 1.4 million BSC-USD from the contract.  These tokens were later transferred to another address.

Lessons Learned from the Attack

The DefiLabs rug pull took advantage of backdoor functions in the smart contract code and a privileged address. This backdoor was designed to only allow the project team to withdraw funds, which is good for security but also made it possible to carry out a backdoor attack. A more decentralized approach to managing privileged functions — such as a multi-signature wallet or decentralized governance scheme — could have prevented this attack.

Rug pulls are increasingly common, and they often have warning signs. To learn more about what to look out for, check out our blog on the Warning Signs of an Exit Scam.