A recent report indicated that rug pulls are one of crypto’s most pervasive scams. Rug pull tokens are explicitly programmed to steal from retail investors. Their smart contracts often include scripts that disable secondary sales, allow developers to mint new tokens, or charge buyers sell fees of 100%. Together, these tokens contribute to the hidden theft of hundreds of millions from crypto users.
The anatomy of a crypto rug pull
In most respects, rug pull tokens look just like any other cryptocurrency, abiding by their respective blockchains’ fungible token standard. Where they differ is in their source code. Over time though, scammers have learned how to make dozens of different modifications to their tokens’ underlying smart contracts. To execute rug pulls, scammers first hard-code exploitative rules into their tokens' smart contracts that give them additional powers – or strip their buyers of basic privileges. Then, they deploy (i.e. publish) that token contract. After deploying their scam token, the scammer next creates a liquidity pool on a decentralized exchange (DEX). This establishes a trading pair between that token and a more popular, legitimate cryptocurrency, like Ethereum. They then generate artificial transaction volume to inflate that token’s perceived value.
DeFi scammers may attract even more investors by publishing a promotional website or roadmap, sharing fake partnerships or names of “doxxed” developers and advertising on Twitter, Discord, Reddit, Telegram, or other social media apps
When enough users have bought into the scam token, the scammer then sells off their rug pull token holdings in exchange for the now-larger sum of legitimate tokens in the liquidity pool. This drives the token’s price to zero, thereby finishing the rug pull.
Types of rug pull smart contracts
Scammers program their crypto tokens to pull the rug out from under investors in several different ways. Three of the most popular types of DeFi scams– honeypots, hidden mints, and balance modifiers – are outlined below.
Number of honeypots detected by Solidus Threat Intelligence as of October 25th, 2022: 96,008
A honeypot is any exploit that prevents the buyers of a token from reselling it. This inability to sell causes the token’s price to increase, creating the appearance of a “mooning” token and tricking even more users into buying it.
The most famous example of this exploit is the Squid Game token (SQUID). Capitalizing on the popularity of the eponymous Netflix series, SQUID embedded a honeypot exploit in its deployment contract, making it look to many investors like a promising meme coin — another Dogecoin or Shiba Inu. Within days, investors had spent over $3.36 million buying SQUID, and the developers used this opportunity to run off with the funds.
Number of tokens with hidden mint functionalities detected by Solidus Threat Intelligence as of October 25th, 2022: 40,569
A hidden mint is an exploit that allows one or more externally owned accounts (EOAs) to mint new tokens using a hidden function within the token contract. After calling the mint function, the scammer dumps the extra tokens in the market, rendering the originally minted tokens that users hold worthless.
Hidden mints often accompany honeypots.
Hidden Balance Modifiers
Number of tokens with hidden balance modifiers detected by Solidus Threat Intelligence as of October 25th, 2022: 7,907
A hidden balance modifier is an exploit that allows token holder balances to be modified by one or more EOAs, or by the contract itself. When the EOA sets holder balances to zero, this makes selling impossible. The scammer then removes liquidity or mints/sells tokens to exit the scam.
Other typologies include fake ownership renunciations, hidden fee modifiers, hidden transfers, and external contract calls.
As the crypto industry faces more challenges, the need to build trust in blockchain-based finance, utilize blockchain's inherent transparency, and enable safe, accessible and regulated decentralized financial services has never been greater.
Written by Ayal Karmi, VP Operations, Solidus Labs