A rug pull is a malicious act in which crypto developers abandon a project and either run away with project funds or sell off their pre-mined holdings. Rug pulls are most common within the DeFi ecosystem, as DEXs allow malicious developers to list their tokens without any prior verification or auditing.
What Is a Rug Pull?
The DeFi ecosystem along with DApps is driven entirely by users in that any developer can create their own projects, while users can opt to buy in should they believe the project has value. Although this is attractive, this freedom also comes with a massive downside as malicious developers can easily create and list fraudulent tokens. In particular, malicious actors take advantage of the ERC-20 standard, which has greatly lowered the technical and financial barriers to creating new tokens. Another key element of rug pulls are decentralized exchanges (DEXs) such as Uniswap (UNI) and SushiSwap (SUSHI), which unlike centralized exchanges (CEXs), allow the listing of tokens without audit.
A report from blockchain analytics company CipherTrace found that 99% of all major fraud that occurred during the second half of 2020 stemmed from DeFi rug pulls and other exit scams. The immense amount of money flowing into DeFi (up from $1.7 billion in early 2020 to $130 billion by May 2021), has attracted no short order of malicious actors. Security analysts have noted a similarity in the tactics used with the initial coin offering (ICO) mania of 2017.
How Do Rug Pulls Work?
Rug pulls operate similarly to pump and dump schemes as they both take advantage of the lack of regulation in the crypto space, misinformation, shilling, and the fear of missing out (FOMO). The difference is that pump and dumps typically operate within a shorter time range, revolve around the price action of low-volume tokens, and do not require the involvement of the token’s developers.
On the other hand, rug pulls involve insiders taking off with the majority of user funds by pairing their token with another (valuable) token such as Bitcoin (BTC) or Ethereum (ETH). After investors have swapped their tokens for the scam token, the developers drain the liquidity pool of the valuable tokens, thereby “pulling the rug out” from under investors.
Another common tactic is large developer pre-mines, which in many cases are either hidden from investors or explained away as a project vault, developer fund, or eventual burn. The scam is only revealed when these funds are quickly sold off when the token’s price rises high enough.
Rug pulls are often accomplished through backdoors intentionally written into the project’s smart contracts that allow developers to drain and manipulate staked or otherwise locked tokens. In any case, the rug pull quickly drives the price to zero, leaving any investors that didn’t get out early with a bunch of worthless tokens.
A typical rug pull scam looks something like this:
First, a malicious developer creates a token (let’s call it SCAM) with no real use case, typically just by copying and pasting the code of another token or template and changing a few lines. Then, the developer adds liquidity of SCAM to a DEX such as Uniswap or Sushiswap and begins shilling the token through telegram groups and social media, often by paying influencers. After that, as the price of the token rises, promises of incredible yields, and FOMO causes more and more users to add tokens with real value (typically ETH) to the liquidity pool, thus causing users to just buy SCAM directly, driving the price up even further. Once satisfied with their earnings, the developer of SCAM drains all liquidity from the platform and exits with a haul of the valuable tokens, and any investors that did not jump ship early are left holding worthless tokens with no place to cash out. The developer can easily repeat this process any number of times under a different token and pseudonym.
What Is An Example of a Rug Pull?
Compounder Finance (CP3R) was a self-described clone of Harvest and Yearn Finance (YFI) that looked just like many of the other yield farming DeFi projects that had taken the industry by storm in 2020. On December 1st, just 22 days after its smart contract was launched, the project rug pulled its investors by draining over $10.8 million from its smart contracts. In total, $750,000 in Wrapped Bitcoin (WBTC), $4.8 million in ETH, $5 million in DAI, and smaller amounts of other tokens were stolen. The price of CP3R dropped 98.8% within the span of 24 hours and flatlined completely shortly after.
To add insult to injury, CP3R had actually been audited by the smart contract auditing firm Solidity Finance, which had flagged a suspicious time-locked smart contract configuration, along with the development team’s high level of control. After the audit was completed, the developers snuck in a hidden backdoor that allowed them to withdraw all funds from the project through the 24-hour timelock, which though public, was clearly unmonitored.
A major issue is that any audit requested by a project is likely going to focus on external threats, rather than the risk developers themselves may pose to investors. In the case of CP3R, investors opted to overlook a major security flaw even though the timelock configuration was flagged by the audit.
How Can You Recognize and Avoid a Rug Pull?
As with all scams, the easiest way to avoid being rug pulled is to exercise proper due diligence. Always consider the use case of the token, never invest in something you don’t understand, and never rush into a project simply because it promises high returns or has risen sharply. Always remember the old adage that “if something sounds too good to be true, it probably is.”
Decentralized exchanges algorithmically determine the prices of tokens in a liquidity pool in accordance with the available balances. The easiest way to protect yourself from a rug pull is to check the amount of liquidity in the pool. Legitimate tokens tend to have tens of millions (if not billions) of dollars in total liquidity, along with a significant amount of tokens locked for a certain period of time.
As with pump and dumps, prospective investors should be highly suspicious of any project whose price skyrockets within just a few hours. If you see a token shoot up in value, try to see if you can figure out why. If there hasn’t been a new partnership, a new exchange listing, or any other meaningful announcement, it may simply be an attempt to drive you and other investors into putting money in from FOMO.
Scam tokens often bear names similar to more established, reputable projects. Robert Leshner, founder of the DeFi automated market maker (AMM) Compound Finance (COMP), noted that the CP3R rug pull intentionally used a name very similar to his project in order to lure in uninformed victims. Other examples include the Yfdexf Finance and TRUAMPL rug pulls.
Just like many other scams, rug pulls are not designed with any practical use case in mind. As such, they rely heavily on marketing to draw in an initial batch of investors to start pushing the price up. This often involves heavy use of social media, along with so-called crypto “influencers” on platforms such as Instagram and TikTok. An example of this kind of rug pull strategy is Save The Kids (KIDS) token, which drew in a large number of investors with social media promotions before rug pulling.
The large majority of rug pulls are run by anonymous or pseudonymous teams. If the project’s website doesn’t have any meaningful information (such as real names, previous crypto experience, LinkedIn profiles, etc.) on the team, you should exercise caution. Consider if the project has any partnerships with reputable organizations, or if its whitepaper makes any sense (if it even has one).
As with the ICO craze back in 2017 and now more recently with the explosion in DeFi, scammers will follow wherever the money goes. Certain aspects of the DeFi ecosystem, such as the convenience of creating and listing new tokens, has made scams easier to pull off than ever before. As DeFi has unlocked an entirely new world of finance for millions across the world, so too has it unlocked a huge pool of potential victims for malicious actors.
Despite how common they are, funds lost in rug pulls are almost never recovered, and in most cases, the scammers are able to disappear without a trace. Without the protection or oversight of any central authority, investors are largely left to fend for themselves should anything go wrong. As such, it is critical to exercise proper due diligence before investing in a DeFi project, especially when it appears too good to be true.