DeFiLabs BSC Backdoor Rug
A hidden deployer-only withdrawFunds function in DeFiLabs' BNB Chain staking contract drained $1.6M in user deposits before the project vanished completely.
- Date
- Victim
- DeFiLabs users
- Chain(s)
- Status
- Funds Stolen
On July 30, 2023, the BNB Chain yield project DeFiLabs rug-pulled approximately $1.6 million. The staking contract contained a hidden deployer-only withdrawal function (withdrawFunds-style) that drained all user deposits in a single call; the project then disappeared.
What happened
DeFiLabs' DVL staking contract included a privileged function — not part of advertised functionality — that let the deployer transfer the entire deposit pool out. After accumulating ~$1.6M, the deployer invoked it and exited.
Aftermath
- No recovery; deployer unidentified.
Why it matters
DeFiLabs is a textbook backdoor-function rug — the simplest, most-repeated rug structure in the catalogue (Arbix, Kokomo, Swaprum, Kannagi). A privileged drain function with an innocuous name, in an unverified or unread contract, on a high-APY farm during a chain's growth window. The user-side filter remains the cheapest in DeFi and the most ignored: read (or have a tool read) every function the owner can call, and assume the worst-case use of each. The base rate of this exact structure on BSC/zkSync/Base growth-phase farms is high enough that "I didn't check the owner functions" is, statistically, the whole story.
Sources & on-chain evidence
- [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-defilabs-rug-pull-july-2023
- [02]certik.comhttps://www.certik.com/resources/blog/post-mortem-defilabs
- [03]rekt.newshttps://rekt.news/defilabs-rekt