The decentralized finance sphere has introduced a number of never-before-seen concepts to the world of Web3. Decentralized lending protocols, decentralized stablecoins, “yield farming” modules and on-chain prediction markets made basic financial operations more seamless and resource efficient.
At the same time, for malefactors, the DeFi segment is a hotbed of eccentric attack designs. DeFi protocols can be ruined by “flash-loan” attacks, their users often falling victim to phishing and impersonating scams. However, “rug pull” attacks remain the most dangerous and mainstream type of malicious activity in the DeFi segment since early 2020.
What is a rug pull: Crypto protocols under fire
To understand what a rug pull is in crypto, we need to imagine a person standing on a rug. Someone unexpectedly pulls it, and the victim loses balance and falls over.
Rug pull in crypto: Two ways of losing money
This is what a rug pull looks like: DeFi masterminds rapidly remove all users' liquidity from the protocol, leaving investors with worthless tokens. At its core, every rug pull can affect its victims in two ways.
#rugpulls PeckShield has detected #Bnb42 is rugged: the deployer drains more than 6,400 BNB (~$2.7m) from an unverified contract.— PeckShieldAlert (@PeckShieldAlert) February 15, 2022
The rugged funds were initially held in 0x9b74fde50f3fcd3a02fafea6a187092630d6eb8f and then split into 8 addresses. pic.twitter.com/iXbkifaA5E
First, when the “rug is pulled,” investors have their assets transferred to attackers’ accounts with no chances to return it. Then, once the crypto community notices that this or that protocol is rug pulled, its native cryptocurrency can lose 90% of its value in no time. As such, investors see their bags’ value plummet to zero.
How to rug pull crypto: the basics
In order to make a “rug pull” possible, a DeFi team should “hard-code” specific features into the codebase. For instance, it should allow the transfer of all liquidity to a particular account. Then, the team can replace the address in charge of funds with a malicious one: this makes a rug pull possible even for audited protocols.
Once liquidity is stolen (permanently transferred to malefactors’ accounts), hackers need to cash it out. Typically, they send the funds to crypto mixing ecosystems like Tornado Cash.
It allows hackers to sell stolen crypto through crypto-to-fiat exchanges; without Tornado-based obfuscation, crypto trading platforms now rapidly blacklist the attackers’ addresses. On major explorers, all addresses involved in rug pulls are labeled in minutes after the first announcements about the scam gain popularity on Crypto Twitter.
Worst rug pulls in crypto
As the rug pull industry grew hand in hand with the popularity of the DeFi segment itself, over the years 2021-2022, some of them have ended up in eight-digit scams. As such, they are challenging CEX hacks as the most dangerous type of attack in Web3.
Name of scam: Meerkat Finance
Blockchain: Binance Smart Chain
Net losses: $32 million
In March 2021, the team of BSC-based yield farming protocol Meerkat Finance (MKAT), a fork of Alpaca Finance (ALPACA), escaped with 14 million Binance USD (BUSD) and 73,635 Binance Coins (BNB).
The protocol disappeared during its first day in mainnet; however, some of its investors managed to inject six-digit sums into its liquidity pools.
Name of scam: Snowdog DAO
Net losses: $10 million
SnowdogDAO promoted itself as the largest “game theory” experiment on Avalanche (AVAX), a high-performance smart contracts platform. Its exploit scenario was sophisticated: someone who held a unique key was the only actor able to sell SDOG at a reasonable price.
Others found their SDOG investment value plummeting to zero after an orchestrated sell-off initiated by rug pull masterminds.
Name of scam: Squid Game
Blockchain: Binance Smart Chain
Net losses: $3 million
Inspired by the popular TV show about a dystopian world, Squid Game token appeared to be a “honeypot scam,” which is a profitable rug pull scenario for attackers.
At some stage, the developers switched off SQUID holders’ ability to sell their tokens; only retail users were able to purchase new tokens. Once it was disclosed, the SQUID price dropped from almost $3,000 to zero.
How to spot a rug pull: Basics
To identify a crypto rug pull with 100% confidence, a blockchain user should read the code, i.e., to have advanced Solidity, Rust or Haskell skills. However, U.Today sums up a number of rug pull signs that can be registered even by newbies.
Greed is the worst enemy
All of the protocols targeted by “rug pulls” used to guarantee unbelievably high returns. First, they teased thousands of percent in APY: a recent Titano Finance scam protocol offered to triple any deposit in 10 days.
Then, all teams of such protocols guaranteed rewards with no regard for the market situation, the Ether and BNB price, audience dynamics and so on. Both “super-high” and “guaranteed” APYs are obvious red flags.
Many secrets hide many scams
Typically, there is little or no information about the teams, design and previous performance of “rug-pulled” protocols. Empty GitHub repositories, a Twitter account with no comments and re-tweets, a Medium “blog” with three articles and a landing page with an “investing” address is a “rug pull” starter pack.
None of the “rug-pulled” DeFis had a real product: a payment system, a lending/borrowing module, stablecoins and so on. As such, investors should thoroughly research the project before investing in it.
Stay up to date on crypto security
Finally, the information about potential rug pulls can be found on the Twitter account of cybersecurity providers and enthusiasts.
To start, every DeFi investor should follow Peckshield and CertiK, two leading security audit providers for crypto protocols. They detect malicious activity in an automated manner and inform potential investors about suspicious changes in the protocols’ codebase.
A rug pull is a malicious transfer of investor liquidity from a DeFi protocol. Rug pulls in crypto are organized by malevolent teams of DeFi products in order to steal supporters’ funds.
Some rug pulls in 2021-2022 stole eight-digit sums. To avoid falling victim to rug pulls, investors should not invest in products teasing enormous profits or in teams with no proven development activity.