Main navigation

DeFi Space Flooded by Rug Pulls: What You Should Know to Protect Your Crypto

Tue, 02/22/2022 - 09:36
DeFi Space Flooded by Rug Pulls: What You Should Know to Protect Your Crypto
Cover image via
Read U.TODAY on
Google News

The decentralized finance sphere has introduced a number of never-before-seen concepts to the world of Web3. Decentralized lending protocols, decentralized stablecoins, “yield farming” modules and on-chain prediction markets made basic financial operations more seamless and resource efficient.

At the same time, for malefactors, the DeFi segment is a hotbed of eccentric attack designs. DeFi protocols can be ruined by “flash-loan” attacks, their users often falling victim to phishing and impersonating scams. However, “rug pull” attacks remain the most dangerous and mainstream type of malicious activity in the DeFi segment since early 2020.

What is a rug pull: Crypto protocols under fire

To understand what a rug pull is in crypto, we need to imagine a person standing on a rug. Someone unexpectedly pulls it, and the victim loses balance and falls over.

Rug pull in crypto: Two ways of losing money

This is what a rug pull looks like: DeFi masterminds rapidly remove all users' liquidity from the protocol, leaving investors with worthless tokens. At its core, every rug pull can affect its victims in two ways.

First, when the “rug is pulled,” investors have their assets transferred to attackers’ accounts with no chances to return it. Then, once the crypto community notices that this or that protocol is rug pulled, its native cryptocurrency can lose 90% of its value in no time. As such, investors see their bags’ value plummet to zero.

How to rug pull crypto: the basics

In order to make a “rug pull” possible, a DeFi team should “hard-code” specific features into the codebase. For instance, it should allow the transfer of all liquidity to a particular account. Then, the team can replace the address in charge of funds with a malicious one: this makes a rug pull possible even for audited protocols.

Image by ChainAnalysis

Once liquidity is stolen (permanently transferred to malefactors’ accounts), hackers need to cash it out. Typically, they send the funds to crypto mixing ecosystems like Tornado Cash.

It allows hackers to sell stolen crypto through crypto-to-fiat exchanges; without Tornado-based obfuscation, crypto trading platforms now rapidly blacklist the attackers’ addresses. On major explorers, all addresses involved in rug pulls are labeled in minutes after the first announcements about the scam gain popularity on Crypto Twitter.

Worst rug pulls in crypto

As the rug pull industry grew hand in hand with the popularity of the DeFi segment itself, over the years 2021-2022, some of them have ended up in eight-digit scams. As such, they are challenging CEX hacks as the most dangerous type of attack in Web3.

Name of scam: Meerkat Finance

Token: MKAT

Blockchain: Binance Smart Chain

Net losses: $32 million

In March 2021, the team of BSC-based yield farming protocol Meerkat Finance (MKAT), a fork of Alpaca Finance (ALPACA), escaped with 14 million Binance USD (BUSD) and 73,635 Binance Coins (BNB).

Largest Binance Smart Chain Fraud: Meerkat Finance (MKAT) Rug Pulled with $32 Million Losses

The protocol disappeared during its first day in mainnet; however, some of its investors managed to inject six-digit sums into its liquidity pools.

Name of scam: Snowdog DAO

Token: SDOG

Blockchain: Avalanche

Net losses: $10 million

SnowdogDAO promoted itself as the largest “game theory” experiment on Avalanche (AVAX), a high-performance smart contracts platform. Its exploit scenario was sophisticated: someone who held a unique key was the only actor able to sell SDOG at a reasonable price.

SHIB Competitor SnowdogDAO Allegedly Falls Victim to Largest Rug-Pull in Avalanche History

Others found their SDOG investment value plummeting to zero after an orchestrated sell-off initiated by rug pull masterminds.

Name of scam: Squid Game

Token: SQUID

Blockchain: Binance Smart Chain

Net losses: $3 million

Inspired by the popular TV show about a dystopian world, Squid Game token appeared to be a “honeypot scam,” which is a profitable rug pull scenario for attackers.

Floki Inu Knock-Off Ends Up Being Honeypot Scam

At some stage, the developers switched off SQUID holders’ ability to sell their tokens; only retail users were able to purchase new tokens. Once it  was disclosed, the SQUID price dropped from almost $3,000 to zero.

How to spot a rug pull: Basics

To identify a crypto rug pull with 100% confidence, a blockchain user should read the code, i.e., to have advanced Solidity, Rust or Haskell skills. However, U.Today sums up a number of rug pull signs that can be registered even by newbies.

Greed is the worst enemy

All of the protocols targeted by “rug pulls” used to guarantee unbelievably high returns. First, they teased thousands of percent in APY: a recent Titano Finance scam protocol offered to triple any deposit in 10 days.

Then, all teams of such protocols guaranteed rewards with no regard for the market situation, the Ether and BNB price, audience dynamics and so on. Both “super-high” and “guaranteed” APYs are obvious red flags.

Many secrets hide many scams

Typically, there is little or no information about the teams, design and previous performance of “rug-pulled” protocols. Empty GitHub repositories, a Twitter account with no comments and re-tweets, a Medium “blog” with three articles and a landing page with an “investing” address is a “rug pull” starter pack.

None of the “rug-pulled” DeFis had a real product: a payment system, a lending/borrowing module, stablecoins and so on. As such, investors should thoroughly research the project before investing in it.

Stay up to date on crypto security

Finally, the information about potential rug pulls can be found on the Twitter account of cybersecurity providers and enthusiasts.

To start, every DeFi investor should follow Peckshield and CertiK, two leading security audit providers for crypto protocols. They detect malicious activity in an automated manner and inform potential investors about suspicious changes in the protocols’ codebase.

Bottom line

A rug pull is a malicious transfer of investor liquidity from a DeFi protocol. Rug pulls in crypto are organized by malevolent teams of DeFi products in order to steal supporters’ funds.

Some rug pulls in 2021-2022 stole eight-digit sums. To avoid falling victim to rug pulls, investors should not invest in products teasing enormous profits or in teams with no proven development activity.