Explained: The StableMagnet Rugpull (June 2021)

On June 23, 2021, the team behind StableMagnet performed a rugpull.  Using a novel technique, the owners were able to steal $27 million from the protocol’s users.

What Went Wrong

The StableMagnet rugpull was different from other rugpulls because it took advantage of a novel vector.  Block explorers like Etherscan and BSCScan perform code verification that ensures that the source code posted to them matches the actual code stored on the blockchain.

However, as demonstrated by the StableMagnet rugpull, Etherscan and BSCScan do not perform verification of linked libraries when verifying the correctness of posted source code.  This means that a smart contract can claim that it is using functions from one smart contract while actually using a different one.  This lulls users into a false sense of security because they believe that they have reviewed a protocol’s source code and it looks legitimate.

The StableMagnet owners took advantage of this oversight to hide a backdoor in their smart contract that enabled them to drain value from the protocol.  Also, the hidden backdoor enabled the attackers to transfer more tokens to all wallets that had approved StableMagnet, enabling the attackers to steal even more value from its users.

Lessons Learned From the Rugpull

This incident used novel techniques to hide the functionality that made the rugpull possible.  A few key takeaways include:

1. Be Wary of “Verification”: Etherscan and BSCScan “verified” that the source code posted to them matched the deployed smart contract.  However, the failure to verify that the posted linked library code was the correct one made this attack possible.

2. Incomplete Audits Are Useless: The StableMagnet project had previously undergone a smart contract audit.  However, the auditors only looked at the project’s Github repository (which contained the clean source code) and didn’t verify that the linked library source code matched the deployed code.

3. This May Happen Again: Other projects also rely upon unverified linked libraries.  This means that these contracts could also include malicious backdoors.

Before investing in or approving any crypto project, it’s important to do your research.  This incident demonstrates that this isn’t as simple as reading the source code on a block explorer.