$1.4k stuck due to rug pull via proxy rate providers - can anyone help?

Service Providers Balancer Maxis
1

Hey everyone,

I’m in a tough situation and hoping the community can help. Short version: created a pool on Base, copied unverified rate providers, the owner upgraded them and now demands 0.05 ETH to withdraw liquidity. About $1,500 stuck.

How it happened:

About 3 weeks ago I was creating a pool and saw another pool with similar tokens. Thought “hey, let me just copy the rate providers from there, why reinvent the wheel”. The contracts were unverified but worked fine - I withdrew liquidity several times without any issues.

Then a few days ago when trying to withdraw, I see this error:

Need to transfer at least 0.05 ether to 0x216E4a5e998c159cDc90374796Fbfa9AA3e283Db to use rate provider again

At first I thought it was phishing or my browser was compromised. But no - the error appears on the actual balancer.fi site before signing any transaction.

What I found out:

Spent several hours investigating. Decompiled the bytecode of these rate providers and realized they’re upgradeable proxy contracts. The owner simply replaced the implementation with a malicious version that demands payment. Classic rug pull via upgrade.

What I tried:

  • All removeLiquidity variants - revert with the same error

  • removeLiquidityRecovery - doesn’t work because pool is not in recovery mode

  • enableRecoveryMode - getting SenderNotAllowed, I don’t have permissions

Details for the team:

Pool: 0x2794AEe6bb42519fe469e406b63f387C1B7e32Ac (Base) Vault: 0xbA1333333333a1BA1108E8412f11850A5C319bA9 My wallet: 0xdF284270c7098D36A1637C4FC711aBc9209f3E34

Malicious rate providers:

  • 0xDC91D8066AA60fBF0670EC87a26EE9393c7013A9

  • 0xE1dE0dc616C0E00A855260886cc87b4497Cc3165

Question:

Is there a way to activate recovery mode for this pool through governance? That’s the only option I found to bypass the compromised rate providers.

I understand this was my mistake (shouldn’t have copied unverified contracts), but I’d be very grateful for any help. And maybe these rate providers should be flagged somehow so others don’t fall into the same trap.

Thanks!

2

Hey @LKD, sorry to hear that you were victim of this, and thanks for bringing it up here. Fortunately, there’s a way to recover the funds, and it shouldn’t even need governance in this case.

From what we can see in the pool creation tx, you’ve set yourself as the pause manager: Base Transaction Hash: 0x6af8bdd933... | BaseScan (pause manager: Address: 0xdf284270...9209f3e34 | BaseScan, which is also tx.origin).

With that account you can pause the pool, and then place it in recovery mode permissionlessly.

To pause the pool, go to the “multi proxy” tab in etherscan for the vault, and call pausePool (msg.sender must be 0xdf2 for this to work). Here’s the link to the function you need to call.

Then, place the pool in recovery mode from the same tab (link here). As long as the pool is paused, anyone can call it.

Finally, exit your position using removeLiquidityRecovery in the router from the account that holds the LP tokens.

Don’t worry about the limits there, you can set an array of zeroes and it should be safe since it’s a proportional exit and the pool is paused.

Please try out those steps, and let us know if needed.
Cheers,
Juani

1 Like
3

It worked! Successfully recovered all liquidity using the steps you provided.
Thank you so much for the quick and detailed help - I really appreciate it. Steps 1-3 went smoothly through the Vault, and after calling removeLiquidityRecovery through the Router UI on BaseScan, everything came through.

The Balancer community is incredibly helpful

Thanks again for saving my $1.5k!
Cheers

4 Likes
4

Happy to hear that, and happy to help :slight_smile:

PS: to the deployer of the malicious rate providers, in case you ever read this: consider getting an honest job.

2 Likes