Contributed by Edwin Doyle, Global Security Strategist, Check Point Software.
In the cryptocurrency market, the term “rug pull” means a theft in which the owners of a cryptocurrency project abandon it after stealing investor money. The term vividly conveys the feeling of investors who were promised a bright future in cryptocurrency riches. Unfortunately, the cryptocurrency world seems to be plagued with financial fraud. Also, research shows that while the industry is seeing a reduction in theft overall, the decentralized finance (DeFi) sector has seen an increase in theft. This makes sense given the ideas around DeFi as the future of finance, yet it’s continuously developing and evolving application security.
Rug pulls by the numbers
When it comes to the DeFi market, rug pulling has been responsible for $113 million in losses as of July 2021. While this number is lower than the $361 million lost to outside threat actors, it’s still a staggering amount of money.
Types of rug pulls
The common theme in rug pulls are the involvement of malicious owners, but not all inside jobs follow the same script. Here are two types of rug pull you should know about as a customer or investor.
The most common type is a liquidity scam. This fraud involves listing the alt-coin on a decentralized exchange (DEX) and pairing it with a top cryptocurrency technology, such as Ethereum (ETC). The sequence of events in a typical rug pull would then continue as follows:
The token creators copy an existing, public smart contract code and issue a platform token. Then, they create hype for their project and add liquidity of the token to a DEX, like Uniswap, Pancakeswap, or Sushiswap. DEX’s allow users to swap tokens without any intermediaries. The paired tokens are locked in a smart contract called a liquidity pool. Using the DeFi exchanges, customers swap their tokens for the platform token.
With the token developers and initial platform users investing in the project, more and more people start seeing it as an opportunity to “get in early.” Once the token becomes popular and increases in value, the project owners dump their stake all at once to make a profit. This pump and dump leaves other investors with worthless cryptocurrency tokens and no option to get their money back.
Another type of rug pull involves exploiting the “approve” function of ERC20 tokens (a standard used for creating and issuing smart contracts on the Ethereum blockchain). This function can be manipulated so that the buyer can’t spend the token they have bought. When a user swaps their token on a DEX, they’re allowing (approving) the smart contract to spend the token. A malicious developer may modify this “approve” function so that users can only buy a token, but not spend it in any way. The unsuspecting users think they can sell, convert, or spend in another way – like other cryptocurrency tokens – but find out later that, through manipulation of the smart contract algorithm, these options are only available to the project developers, or whoever/whatever the contract specifies.
Examples of rug pulls
Here are some recent examples:
This theft involved stealing 2,500 ETH from investors (almost $10 million at current valuation). According to the project’s team, “one of the devs compromised a wallet and was able to use a little-known vulnerability in the compiler itself.”
In this case, the project’s developers allegedly stole $200,000 in cryptocurrency. They were able to control user tokens by exploiting a back door in the smart contracts.
In April this year, the CEO of the popular Turkish cryptocurrency exchange Thodex disappeared, allegedly committing a fraud of $2 billion. According to a Bitcoin.com report, 30,000 of the 390,000 active users of the platform were affected by this rug pull.
- Meerkat Finance
In early March, yield farming pool Meerkat Finance lost $31 million to an alleged pull.
How to Avoid A Crypto Rug Pull
If you’re interested in a DeFi project, you should research the development team and also look at the technical aspects that leave projects open to exploitation. Here are some measures you can take:
- Read the documentation
One of the warning signs for a scam is vague documentation. Review the white paper and research the project thoroughly to find out more about the owners/token holders.
- Check the developer’s holdings
Check what percentage of the token supply is in the control of the developers. A large percentage means that they can manipulate the market more easily. Note that having only a few wallet holders indicates centralized control over the project.
- Look at the project’s code
For most projects, the source code is publicly available. Analyze the code for functions that have been flagged as dangerous by independent auditors.
Decentralized finance will revolutionize the industry and create products and services that will last a millenia, but like all great movements of humanity, our first steps are tenuous and fraught with projects whose purposes are to defraud investors; intentionally or through negligence. If your organization is looking to engage in blockchain for financial transactions, it’s worthwhile to do a complete security audit of the project first.