Nearly $10 billion was stolen in DeFi scams and thefts in 2021 alone, an increase of 81% compared to 2020, with thefts accounting for more than 35% of all crypto scam revenue.
This is according to a recent Elliptic report. And while there are many types of scams that regularly take place within the cryptocurrency community, rugpulls are arguably the most infamous.
So what is a Rugpull in Crypto?
A rugpull, from the phrase to pull the rug under someone, refers to a type of scam in which the development team behind a decentralized finance (DeFi) project runs away with investor funds by selling or depleting its liquidity.
In DeFi, liquidity refers to the amount of crypto assets poured into a liquidity pool and locked in a smart contract, and that is a requirement for operating automated market maker (AMM) and decentralized exchanges like Uniswap.
To understand the basics of how Uniswap (and other similar DEXs) work, take a look at our detailed guide.
In essence, as with centralized exchanges, liquidity is essential in DeFi-based protocols as it makes it easy for users to execute trades between multiple assets without causing massive asset price swings. We will talk more about liquidity later in this guide.
Rugpulls are frequently associated with the DeFi space because of how simple it is to create a new cryptocurrency and have it listed on a decentralized exchange (DEX) without going through Know Your Customer (KYC) and running a third party intelligence. contract code audit which will ensure that the code does not have any known vulnerabilities. However, keep in mind that an audit does not necessarily guarantee the legitimacy of a project.
In light of the above, it is also true that the community is becoming increasingly suspicious of unaudited protocols as more experts continue to join the field.
Understanding Carpet Pulls
Now that we have a basic idea of what rugpulls are, let’s see how they normally develop. Usually, the developers of a project create a new token, usually based on the ERC-20 standard of Ethereum, but also on other layer one networks such as Solana, Avalanche or Binance Smart Chain, and include it in a code DEX. open as Uniswap (Ethereum), Raydium (Solana), TraderJoe (Avalanche) or Pancakeswap (Binance Smart Chain).
Once created, developers have two options to inject liquidity into the DEX: through a liquidity pool, in which the token is paired with a more popular cryptocurrency such as Ether (ETH), or through a IDO (initial DEX offering)in which a project token makes its first public DEX debut to raise funds from retail investors.
For most legitimate projects, revenue is locked for a certain period after the event, and this is how you can spot the first red flag: whoever plans a pullpull usually doesn’t lock in liquidity and then remove it from the pool. .
Either way, the developers will usually promote a crypto scam with enough marketing to encourage investors to buy the token by promising an unrealistic APY (Annual Percentage Yield). APY is a percentage of the return earned on an investment for one year. Be careful: a high APY does not necessarily mean that a crypto project is a scam; however, it translates into increased risk.
The team would go on to create various social media channels, including Discord, Twitter, Instagram, etc., under false identities or remaining totally anonymous. Another disclaimer here would be that not all anonymous teams turn out to be scammers; in fact, anonymity is a much heralded value of the industry that is highly advocated by many participants.
The main idea is to create advertising, albeit false, as much as possible while trying to appear as legitimate as possible on social media. Some scammers will even stage attacks on their protocols and then warn investors about potential scammers and hackers, giving themselves an air of legitimacy.
Once enough victims get involved and provide enough liquidity to the project, the scammers can sell their share of tokens in one fell swoop at a high price while depleting the liquidity pool.
Without sufficient liquidity, investors are forced to sell at a much lower price, losing a significant amount of money. If the project is not audited by a known auditing firm, developers can sneak hidden backdoors into the protocol’s smart contract code. Once all liquidity is depleted and investor funds are in the hands of the development team, the team often proceeds to erase all traces of the protocol by removing its official website and social media channels.
How to Spot and Avoid a Potential Rugpull
There are numerous red flags that we can detect in a DeFi project.
As a side note, before investing in a cryptocurrency project, always make sure you do your own due diligence and research to avoid losing a sizable amount of money, and always invest what you can afford to lose.
For more must-have tips on cryptocurrency trading: read here.
This is a critical factor that you need to consider. An anonymous team or pseudonymous profiles at the head of a cryptocurrency project is a sign of suspicion. But let’s elaborate.
However, how you understand anonymity is up for debate. There are many well-known developers within the cryptocurrency field who have not been duped, but have a verifiable track record. Therefore, the fact that their real identities are unknown is not necessarily a red flag.
On the other hand, a completely doxed team with no proven track record can be an even bigger red flag. Therefore, it is important to handle these circumstances very carefully.
Remember: don’t trust, verify.
In any case, investing in a project led by anonymous people with no prior history significantly increases the risk profile of your work, and you should certainly be aware of this.
Incomprehensible and unclear whitepaper
The project may have a white paper (a document that describes its purpose and its technical components) written in an incomprehensible, ambiguous way and with a non-existent working model, which means that it is more conceptual without an actual product.
Keep an eye out for this one too: the whitepaper could be written in a way that feels more like a marketing move than offering anything useful or innovative for the DeFi ecosystem.
Disproportionate token allocation
If token distribution favors developers, stay away from the project. Be sure to check out the token allocation and supply release schedule.
You can use block explorers like Etherscan to see how tokens are distributed, the number of token holders, and how much each token holder has.
A balanced distribution of token supply generally translates into a safer investment.
No lock-in or vesting periods
After an IDO, the developers relinquish ownership of the tokens by locking up the liquidity pool, ensuring that the liquidity remains intact for a sufficient period of time. The absence of lock-up periods means developers can run out of liquidity at any time, forcing investors to sell at a loss.
On the other hand, the lack of a comprehensive award period could mean that the initial sponsors and the team itself are not aligned on the goals of the project. This could result in the so-called “slow carpet”.
This is a situation where seed investors who have no interest in supporting the long-term vision of the project, but who entered just because they had the opportunity to be first, slowly sell their tokens over time, which basically reduces the price. A project that has been through something like this usually has a graph that looks like this:
Low Liquidity and Total Value Locked (TVL)
Always check the liquidity of the DeFi project by looking at its 24-hour trading volumes. If it is low, then it is easier for the development team to manipulate the price of the token.
If the project you are investigating has some sort of staking mechanism or allows you to provide liquidity, you should also consider the Total Value Locked (TVL) on it. This metric is pretty self explanatory: it shows how much money is staked/locked in the project at the moment. The higher this number is, the more people have faith in it.
Defi RugPulls: long history of events
AnubisDAO was a memecoin cryptocurrency traded as a fork of OlympusDAO, a DeFi reserve currency generated by the sale of bonds and fees from liquidity providers. AnubisDAO debuted an initial coin offering that amassed $60 million raised from investors, only to later be transferred to a single wallet and rugged.
Meerkat Finance was a yield vault DeFi project launched on Binance Smart Chain (BSC). One day after its debut, the protocol vaults “suffered” a security breach in which developers drained more than $31 million. In reality, the Meerkat deployment contract was changed to allow the vaults to be emptied shortly before launch.
Luna Yield was a Solana-based cross-chain yield aggregator, launched on Solana’s finance launch pad, SolPAD. The protocol developers removed the liquidity after stealing several tokens worth nearly $10 million, all social media channels and the official website were taken down soon after.
TurtleDEX was a decentralized exchange built on the BSC network. The protocol debuted with a pre-sale round that raised approximately 9,000 BNB, which at the time amounted to $2.5 million. However, the team ran out of liquidity of the trading pools on BSC, swapped the TTDX tokens for ETH and then sold the funds on the Binance exchange.
In addition to being a promising future, decentralized finance is considered the Wild West of the cryptocurrency industry.
The ecosystem is full of opportunities for cryptocurrency developers and enthusiasts to explore and create new technologies. This is also true for the investors who back them from the start.
But as with any booming industry, scammers and malicious actors will always try to find and exploit vulnerabilities in the ecosystem or pose as legitimate projects offering inflated profits without any working model. That’s why you should always do your own research before investing, and always invest what you can afford to lose.