Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 150Rug Pull

DeFiLabs BSC Backdoor Rug

A hidden deployer-only withdrawFunds function in DeFiLabs' BNB Chain staking contract drained $1.6M in user deposits before the project vanished completely.

Date
Victim
DeFiLabs users
Chain(s)
BNB Chain
Status
Funds Stolen

On July 30, 2023, the BNB Chain yield project DeFiLabs rug-pulled approximately $1.6 million. The staking contract contained a hidden deployer-only withdrawal function (withdrawFunds-style) that drained all user deposits in a single call; the project then disappeared.

What happened

DeFiLabs' DVL staking contract included a privileged function — not part of advertised functionality — that let the deployer transfer the entire deposit pool out. After accumulating ~$1.6M, the deployer invoked it and exited.

Aftermath

  • No recovery; deployer unidentified.

Why it matters

DeFiLabs is a textbook backdoor-function rug — the simplest, most-repeated rug structure in the catalogue (Arbix, Kokomo, Swaprum, Kannagi). A privileged drain function with an innocuous name, in an unverified or unread contract, on a high-APY farm during a chain's growth window. The user-side filter remains the cheapest in DeFi and the most ignored: read (or have a tool read) every function the owner can call, and assume the worst-case use of each. The base rate of this exact structure on BSC/zkSync/Base growth-phase farms is high enough that "I didn't check the owner functions" is, statistically, the whole story.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-defilabs-rug-pull-july-2023
  2. [02]certik.comhttps://www.certik.com/resources/blog/post-mortem-defilabs
  3. [03]rekt.newshttps://rekt.news/defilabs-rekt

Related filings