According to cryptocurrency security firm PeckShield, the team behind Chibi Finance has reportedly drained the fund from the project’s liquidity pools.
The assets were quickly withdrawn and converted to WETH on the Ethereum network. The stolen funds, sold for 555 ETH, were transferred to Tornado Cash, a decentralized cryptocurrency exchange.
#PeckShieldAlert Seems like #Chibifinance rugged. ~$1M worth of cryptocurrencies were drained.
The stolen funds, which have been swapped for ~555 $ETH, were bridged from #Arbitrum to Ethereum.
They have already been transferred into Tornado Cashhttps://t.co/HmVeZmWJS4 pic.twitter.com/1wM8j86fS4
— PeckShieldAlert (@PeckShieldAlert) June 27, 2023
A rug pull refers to a cryptocurrency scam in which developers build up a project’s reputation by “hyping it,” creating enthusiasm in the crypto community. After the project generates funds, the developers drain liquidity from the crypto tokens, leaving investors with nothing.
Details about the scam
The rug pull was possible due to a malicious term in the contract the team created, according to security firm CertiK. In turn, this contract gave them control of the protocol’s smart contract, allowing them to withdraw all the funds from the project.
“The deployer of Chibi Finance called `setGov` which assigned the malicious contract to the `_gov` role,” wrote CertiK on Twitter. “This allowed contract 0xB61 to call `panic` which permitted them to withdraw funds from the Chibi Finance contracts.”
The project initially presented itself as a yield-optimizing protocol that allowed users to earn rewards simply by depositing their crypto tokens on the platform. The protocol was built on the Arbitrum chain.
After the scam was exposed, the digital presence of Chibi Finance disappeared. The protocol’s social media accounts and official website are no longer accessible.
The value of CHIBI, the native token of Chibi Finance, has plummeted by 99.4 percent
following the rug pull. The coin opened trading at $1.62 less than 24 hours ago, but as of the time of writing, it is valued at just $0.0090.
Crypto influencer defi_mochi is facing community backlash for previously promoting Chibi Finance in a project-sponsored thread. Defi_mochi reportedly received $2,000 in ETH for the promotion.
The Twitter influencer mentioned that he was writing a sponsored thread on June 20. Following reports of rug pulling, defi_mochi deleted the tweets under the thread. The community is now accusing the user of profiting from the rug pull. To date, he has not yet responded to the allegations.
Another case of rug pull
This rug pull is the 12th incident of a rug pull on the Arbitrum network and the broader Ethereum Layer 2 ecosystem in 2023. Investors are often quick to make decisions, leading them to fall victim to rug pulls. BeInCrypto reported that users lost more than $45 million last month due to this type of scam.
1/ The @Chibi_Fi exit scam is the 12th incident we have recorded on Arbitrum in 2023.
— CertiK Alert (@CertiKAlert) June 27, 2023
Beosin, a blockchain security firm, reported that losses from rug pulls and exit scams in the crypto market exceeded those from DeFi attacks in May. Six rug pull incidents resulted in a loss of $45.02 million, while 10 DeFi protocol hacks amounted to a deficit of $19.7 million.
In a similar case to Chibi Finance, the developers of an Arbitrum-based project known as Swaprum disappeared with nearly 1,6228 ETH or $3 million last month. The Swaprum team withdrew liquidity from its exchange, causing the price of its native token (SAPR) to plummet. This situation left investors with virtually worthless tokens.
The team then transferred the funds to Ethereum and laundered them through Tornado Cash, a popular Ethereum mixer service. This was likely done to obscure the trail of the funds and make it more difficult for authorities to track them.
Just like Chibi Finance, Swaprum deleted its digital footprints overnight. From Twitter, Telegram, and GitHub to its official website, which previously served as the front-end for the project’s protocol, had become inaccessible.
Rising cases of crypto hacks, scams
In general, May saw a lower number of crypto exploits — including rug pulls, exit scams, flash loans and many more — compared to April. It might suggest that better security practices are being adopted among users and developers, although further research is needed. Currently, there is no update on the total of losses in June.
Blockchain security incidents in May resulted in $54 million in losses, half of April’s losses. BNB Chain ecosystem accounted for most incidents, with $37 million in losses. Ethereum-based projects saw the least exploits, with $2 million in losses.
The Morgan DF Fintech project was one of the largest contributors to the total stolen funds, with over $32 million in losses. This project used a photo of an actor as its CEO on its official website.
Blockchain records indicate that the project transferred the funds — primarily USDT on BSC — to multiple addresses on TRON and Ethereum on May 22. These records led to speculation that the project had scammed its users.
The speculation was backed as, on May 23, users began reporting that they couldn’t withdraw their funds. Since then, the CertiK audit has flagged Fintoch’s program as an exit scam.
The other two prominent scam cases were Jimbo Protocol and Deus Finance. Jimbo Protocol on Arbitrum lost $7.5 million from rug pull. Meanwhile, Deus Finance on BNB lost $6.2 million in a smart contract exploit.
The rest of the notable cases include Tornado Cash, WSB Coin, Mother, Linda Yaccarino, SNOOKER, Block Forest and Land. The losses on these projects range from $145,000 to $733,000.
In short, rug pull scams were still the most prevalent in May, with 12 cases and losses totaling $37 million. Exploits were the second most common type of fraud, with nine cases and losses of $8.8 million.
Flash loan attacks were less frequent, with five cases, but they still resulted in significant losses of $8.9 million. Exit scams were responsible for two cases, resulting in a loss of $177,000.
Governance tokens were the most commonly targeted category of cryptocurrency. In total, were 19 cases reported, with losses amounting to $3.3 million.
Apart from governance tokens, decentralized exchanges (DEXs) and stablecoins were the other top targets. DEX were targeted in three cases, which led to $4 million in losses. Stablecoins recorded the highest amount lost. A single case of stablecoin fraud resulted in losses of $6.2 million.