The DeFi project R0AR had a backdoor in its Ethereum contract, leading to a theft of approximately 780 thousand USD. The incident occurred on April 16, and Web3 security company GoPlus disclosed it on the X platform on April 22. According to the accident report released by the project team, the funds have been recovered, but the related addresses and transaction hashes have not yet been made public. The attacker exploited the backdoor address present during contract deployment by executing a malicious EmergencyWithdraw() function, transferring all tokens and LP tokens from the contract, and ultimately zeroing out the amounts in user information. This incident serves as a reminder for users to be wary of backdoor contracts (address 0xBD2Cd7) and avoid interacting with them.