What Are Rug Pulls And How Can You Protect Yourself Against Them?
23.08.2021 | 9 min read
In 2009, the Bitcoin Network came alive after Satoshi Nakamoto mined the Bitcoin Genesis Block, effectively sparking the flame for cryptocurrencies. Since then, the technology has developed at breakneck speeds as it sought to provide utilities in almost every facet of the world. Art, music, finance, advertising, health, and sports have all seen blockchain technology being deployed in a bid to improve upon the status quo.
2017 was a pivotal year for cryptocurrencies as it recorded increasing adoption rates, particularly through the concepts of Initial Coin Offerings (ICOs). ICOs provided resources for the development of new projects and were instrumental to the boom of 2017.
Cumulatively, ICOs birthed stellar projects that have served as bulwarks for the cryptocurrency ecosystem. For example, Ethereum was funded through an ICO while Tezos raised an impressive $233 million that helped it develop its powerful blockchain. Filecoin and EOS are some of the iconic cryptocurrency projects that came to life as a result of the concept of ICOs.
Just like every great concept, bad actors are always lurking, looking to spin the situation for their objectives. Seeing the huge inflow of capital and the immense potential in cryptocurrencies, several scam projects have sprung forth intending to fleece investors of their hard-earned funds through the various. One such means is through the use of a rug pull.
What is a rug pull?
A rug pull is an event that is specific to decentralized finance and it involves the sudden removal of liquidity from a decentralized exchange liquidity pool. It is a malicious act by the creators of a project used to defraud token holders of their hard-earned funds. In simple terms, it is a situation where the founders of a project abandon it and abscond with the funds of their investors.
Decentralized exchanges are potent tools for committing rug pulls as they allow ‘founders’ to list their tokens with minimal checks, making it easy for the infiltration of sham projects. In contrast, centralized exchanges involve audits and other stringent processes that make it difficult for rug pulls to occur.
The typical rug pull project works like this. The founders create a project and list the token on a DEX, creating a pairing with a top cryptocurrency. A buzz is generated in cryptocurrency circles about the new project which serves as an incentive for investors to buy into their vision.
After a significant number of investors have swapped their top cryptocurrency for the token, the founders liquidate the liquidity pool which has the unsavoury effect of driving the token ’s price down.
What are slow rug pulls?
There is also a slow version of rug pulls in which a developer or team of developers builds a backdoor into the protocol codebase and uses it to drain funds over time and later cash them out. These back doors can be obvious, or they can be cleverly disguised. In the latter case (known as slow rug pulls), user funds are drained in small increments through unobvious means. Naturally, these can be difficult to spot. But note that inflationary tokens should not be considered slow rug pulls. This is because the intentions of authors here are not malicious. In this case, tokenomics is simply poor.
How do you spot a potential rug pull?
By analyzing several rug pulls, it is easy to spot certain identifiers that can act as warning signs. It is important to note that these identifiers are not set in stone but a combination of any of these factors will be sufficient in raising a red flag.
1. Is there a team or founder listed?
One of the easiest methods of spotting red flags is by searching for the team behind the DeFi project. If the team is anonymous, or there is no listed founder, that should be a cause for concern. Also, watch out for fake founders names or aliases, such as Vitalik Buterin.
2. Has the project had a security audit and was it done correctly?
It’s recommended that each DeFi project has at least one security audit done on the latest codebase and that this audit is done by one of the top reputable companies. Best practice involves performing 2-3 audits and updating them periodically.
3. Is the project innovative and does it make sense?
Watch out for clones and forks of existing projects that are commonplace these days. Here’s where doing some research into the market can really pay dividends later on.
4. Is the project offering reasonable returns?
Investors should also keep an eye on the returns that projects are offering. Often, projects with the potential for a rug pull offer investors staggering returns on their investment.
For example, WhaleFarm, a project that stole $2.3 million from investors promised returns of a whopping 7,217,848% APY. The combination of astronomical returns and anonymous founders is something that should keep investors on their toes.
5. Is the project’s marketing overly fancy?
If a token spends an unreasonable amount on fancy marketing it might be a ticking time bomb. While this may not always be the case, the use of intrusive marketing tactics should be a red flag.
Investors should go the extra mile to peruse the social media accounts of projects that they want to invest in. Shady projects often make use of bots and fake accounts to boost follower numbers and to engage in intrusive marketing. They may also abuse airdropping and referrals.
6. Are the goals of the project accurately captured?
Another pointer for identifying fake accounts is the absence of a comprehensive whitepaper that captures the goals of the project. If a white paper is lacking in details or seems like a copy of another project, then it might just as well be a scam project.
7. Is the project listed only on DEX platforms?
The listing of a project only on DEX platforms and not on centralized exchanges should keep potential investors on their toes. Similarly, projects that are carried out in a haste are most likely sham projects.
8. Are there sudden spikes in token prices?
Sudden spikes in the price of a token in the space of a few hours are used to bait investors and the absence of a lock on the token pool may portend a grave danger.
9. Does the project have a healthy community?
It’s always a good sign if the project has a healthy presence on social networks, including strong communication and community feedback. Beware of spam messaging on social media.
Biggest rug pulls by USD
Since 2017, rug pulls have become bigger and more daring as they make away with staggering amounts of investors’ money. Here are some of the largest rug pulls in the history of DeFi ranked according to the amount stolen.
Leading the pack is Thodex, a Turkish-based crypto exchange that made off with over $2 billion of investors’ funds.
In April, a message appeared on the website that read that the exchange will be shutting down its operation for five days because of a partnership offer that it received. Afterwards, the website went dark with the founder making away with investor’s funds.
Compounder Finance had its fair share of rug pull after the founders made away with $10.8 million of investment funds. The peculiar thing about Compounder Finance’s rug pull is that the protocol had been previously audited but the founders replaced the audited contracts with malicious ones that gave them the power to steal the funds from investors.
The rug pull that occurred in December of 2020 saw the insertion of a call function that made the theft possible and by choosing a name that bears a striking similarity to Compound Finance, investors quickly fell for the ruse.
Meerkat Finance pilfered a stunning $31 million from investors in a move that several persons have called a classic rug pull. The Binance Smart Chain project which was essentially a copy of the Yearn Finance version claimed that the hack was the work of an external actor, but the majority of the community believes that it was an elaborate scheme. Since the event, the website has been taken down, alluding to the fact that it was indeed a rug pull.
In an attempt to halt the devastating effects of rug pulls, RugScreen was launched to help investors spot the warning signs before they lose their funds.
On RugScreen, users can look up or paste a solidity contract to confirm its viability. To stay ahead of the game, RugScreen offers individuals $200 BUSD for information that leads to the discovery of new code exploits. The simplicity of reporting the potential rug pulls plus the financial incentives that it offers the finders is an added benefit.
Projects that have been scanned receive an excellent score and receive a RugScreen certificate. However, there is a disclaimer that says that the fact that one contract from the project passed the scanner does not mean that they will all pass. Investors are therefore asked to scan all the contracts including the MasterChef contract.
Since its launch, the project has made 49,663,707,914 comparisons and well over 19,000 projects have been certified as the real deal. A total of 11,493 potential rug pulls have been detected that have saved investors over $8 million.
Rug pulls have caused DeFi hundreds of millions of dollars in losses and they threaten its existence. The occurrence of these malicious acts affects the growth of the sector in myriad ways. Some prospective investors have been seriously put off by their recurrence, and the number of government regulations in the field have significantly increased.
So if you’re interested in a certain DeFi project, you should do your homework. Look out for any red flags in the shape of a shady founding team, a white paper that fails to capture the ethos of the project, and also any intrusive marketing tactics. To tick all the boxes, investors should scan all the contracts from a project with a tool like rugscreen.com. Through this, they can stay ahead of the game and prevent the loss of funds to rug pulls.