A securely vetted cryptocurrency firm appears to have scammed customers out of millions after its developers made off with their deposited funds.
Arbix Finance was a yield farming firm previously audited by decentralized finance (DeFi) security player CertiK.
However, earlier this week, CertiK tweeted news that it had performed a classic “rug pull” scam. Also known as “exit scams,” these involve project developers running off with investor funds.
The security firm explained that those in charge of the depositor contract at Arbix directed $10m of investor funds to unverified “pools” – a tool used to deposit and withdraw funds in DeFi ecosystems.
An unknown hacker then drained the assets from these pools and converted them to Ethereum through exchange AnySwap USDT.
“The exploited contract was not in the audit scope that was done for Arbix,” CertiK explained. “The project inserted eight `mint()` functions to a newly deployed ARBX ERC20 contract which allowed the owner to mint any amount of ARBX tokens to any address.”
The fact that Arbix Finance was previously certified highlights the difficulty investors face in the world of DeFi.
However, rug pulls are increasingly common. According to one report, over a third (37%) of the revenue generated from cryptocurrency fraud in 2021 came from such scams, versus just 1% the previous year.
This generated more than $2.8bn for fraudsters in 2021.
“Rug pulls are prevalent in DeFi because with the right technical know-how, it’s cheap and easy to create new tokens on the Ethereum blockchain or others and get them listed on decentralized exchanges (DEXes) without a code audit,” explained Chainalysis.
Yield farming is a particularly attractive prospect for investors, and a valuable lure for fraudsters, because it offers the promise of generating “interest” on cryptocurrency in a similar way to the annual percentage yields banks offer depositors of fiat currency.