See More

This Protocol on Coinbase’s Base Was Hacked Just 6 Days After Layer 2 Launch

3 mins
Updated by Geraint Price
Join our Trading Community on Telegram

In Brief

  • Hackers stole 472 ETH (approx. $869,000) from RocketSwap after private keys were compromised, causing community outrage.
  • After the hack, RocketSwap faced criticism for disabling comments on social media and for poor security measures.
  • The exploit and poor response have led to suspicions that the RocketSwap team may have conducted a rug pull.
  • promo

The crypto community has lashed out at the RocketSwap team after a 472 Ethereum (ETH) was taken following a private key compromise.

Coinbase Base drew enthusiasm from many developers and users when it debuted. The Layer 2 protocol launched with over 100 decentralized applications (dApps), but within a week, the projects are becoming a favorite target of scammers.

RocketSwap Disables Comments and Telegram After Exploit 

According to the Web3 security firm Beosin, hackers stole over 472 ETH (approx. $869,000) from the decentralized exchange (DEX) RocketSwap. 

The exploiters accessed the funds via a compromise in the private keys. Then they bridged the tokens to Ethereum through the Stargate bridge. The screenshot below shows the flow of the funds prepared by Beosin.

The flow of the funds stolen from RocketSwap. Source: X (Twitter)
The flow of the funds stolen from RocketSwap. Source: X (Twitter)

RocketSwap apologized to the users for the loss and explained:

“A brute force hack of the server was detected, and due to the proxy contract used for the farm contract, there were multiple high-risk permissions that led to the transfer of the farm’s assets.”

Furthermore, the project disabled comments on X (Twitter) and Telegram. The team faced heavy criticism from the community for disabling the communication after the exploit. An X (Twitter) user wrote:

“Probably the worst hack reaction I have ever seen. They shut down the Telegram and finish the tweet with:

“We are very sorry for your loss”

Like they don’t have anything to do with it”

The Total Value Locked (TVL) on RocketSwap is down by more than 25% in the past 24 hours. According to DefiLlama, the TVL currently stands at around $2.48 million after the sharp decline.

RocketSwap TVL. Source DefiLlama
RocketSwap TVL. Source DefiLlama

Irresponsible Security Standards

For Web3 projects, and even for individuals, the storage of private keys is the most essential security measure. Ideally, private keys or secret key phrases should be stored offline to minimize the chances of a compromise.

RocketSwap put the private keys on a server leading to the compromise. The poor security measure has invited widespread criticism from community members.

Community's reaction to RocketSwap's security. Source: X (Twitter)
Community’s reaction to RocketSwap’s security. Source: X (Twitter)

Some other security blunders by RocketSwap have also come to light following the recent exploit. On Aug. 8, a community member shared screenshots of deleted posts from RocketSwap, which showed the team admitting to transferring $69,000 worth of native tokens (RCKT) to scammers.

The scammers, disguised as KuCoin team members, claimed that they wanted to list the RCKT tokens and asked the team to send tokens for liquidity market making. The RocketSwap team realized they had been scammed due to the sell-off after sending the tokens.  

Community member Dashen De Silva believes the team sold tokens for their benefit and used “fabricated narrative as a cover.”

RocketSwap's deleted post. Source: X (Twitter)
RocketSwap’s deleted post. Source: X (Twitter)

A Rug pull?

With two back-to-back incidents within eight days, the community suspects that the RocketSwap team might have conducted a rug pull.

Click here to learn more about rug pull.

An X (Twitter) user, Forgiving, believes that RCKT was a “hard rug.” They questioned the deployer’s change in proxy hours before the exploit. Forgiving wrote:

It was likely a pre-meditated planned rug

The community members are further suspicious as RocketSwap halted the mode of communications. There are also allegations that RocketSwap used to spoof the volumes.

With the RocketSwap exploit, some community members also point fingers at Coinbase Base due to multiple rug pull/hack incidents. 

On Aug. 1, another DEX on the Base network, LeetSwap, lost 340 ETH (approximately $600,000) due to a vulnerable function in the smart contract. Simultaneously, a scammer deployed a meme coin BALD on the Base network and later removed the liquidity, conducting a rug pull of over $23 million.

Following these incidents, a community member wrote:

“Base on-chain summer became base hard rug summer

Bald, leetswap, rocketswap and about 99% of contracts made on base.”

On Aug. 9, Coinbase launched the mainnet of its Layer 2 protocol Base. Within 24 hours, the network recorded over 136,000 daily active users. 

Community reacts to rug pull allegations. Source: X (Twitter)
Community reactions. Source: X (Twitter)

Got something to say about the RocketSwap exploit or anything else? Write to us or join the discussion on our Telegram channel. You can also catch us on TikTok, Facebook, or X (Twitter).

For BeInCrypto’s latest Bitcoin (BTC) analysis, click here.

Top crypto projects in the US | July 2024
Harambe AI Harambe AI Explore
Uphold Uphold Explore
Coinbase Coinbase Explore
Chain GPT Chain GPT Explore
Top crypto projects in the US | July 2024
Harambe AI Harambe AI Explore
Uphold Uphold Explore
Coinbase Coinbase Explore
Chain GPT Chain GPT Explore
Top crypto projects in the US | July 2024

Trusted

Disclaimer

In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and ConditionsPrivacy Policy, and Disclaimers have been updated.

Frame-2264-1.png
Harsh Notariya
Harsh Notariya is a journalist at BeInCrypto, who writes about various topics, including decentralized physical infrastructure networks (DePIN), tokenization, crypto airdrops, decentralized finance (DeFi), meme coins, and altcoins. Before joining BeInCrypto, he was a community consultant at Totality Corp, specializing in the metaverse and non-fungible tokens (NFTs). Additionally, Harsh was a blockchain content writer and researcher at Financial Funda, where he created educational reports on...
READ FULL BIO
Sponsored
Sponsored