Stable Magnet exits with a new rugpull method


Approximately $22 million of user funds were lost from a rugpull strategy that hasn't been seen until now.


Users who previously gave approval to Stable Magnet should withdraw their approval as soon as possible.

Etherscan explorers did not verify the linked library source code for Stable Magnet. This allowed the exploiter to deploy a different library to the one in the source code.


Evidence of different contract address

Unverified source code is not new

The contract containing the actual exploit was contract address 0xE25d05777BB4bD0FD0Ca1297C434e612803eaA9a. As well as containing code to drain all pairs, it contained code to withdraw more funds from any users who had approved StableMagnet. It was enough for users to simply have used to swap to have been targeted in the rugpull.

Unverified source code is not new, but will we see a rise of rugpulls similar to this? Dopple and StableGaj are based upon the same Protocol, with their SwapUtils libraries also being unverified.