Cryptocurrency has been making waves in recent years, with more and more people investing in it. However, with the rise of cryptocurrency investing comes a rise in scams. One of the most common scams in the crypto world is the rug pull. According to Chainalysis, rug pull scams defrauded victims of approximately $2.8 billion worth of cryptocurrency in 2021, accounting for 37% of all cryptocurrency scam revenue that year.
Latest data, in April 2023, the DeFi industry once again witnessed the disturbing rug pull trend, causing investors to lose more than $6.2 million. Shockingly, 32 projects participated.
Among them, BNBChain was the most affected by Rug Pull, accounting for more than 73% of the total event volume (about $4.5 million). Ethereum and Arbitrum ranked second and third, with $1.05 million and $182,000 respectively.
What is a Rug Pull
Rug Pull is a crypto scam. It is common for cryptocurrency developers to withdraw from the DEX liquidity pool, causing the price of the currency to plummet or suddenly abandon a project, and take away investors' funds without warning by taking advantage of centralized authority and logical loopholes. This is a typical Rug Pull in the DeFi field.
The most recent incident involving a rug pull was the zkSync ecosystem DEX Merlin on April 26, 2023, which lost approximately $1.82 million. According to Numen on-chain data monitoring, shortly after Merlin launched a three-day pre-sale event, approximately $1.82 million worth of USDC, ETH and other cryptocurrencies were stolen from the Merlin protocol because malicious developers exploited a vulnerability to implement a rug pull. At press time, the incident is still under investigation.
Types of Rug Pulls
Rug pull mainly includes 3 types: liquidity stealing, limit sell orders and dumping.
Liquidity theft
Liquidity theft is the most common type of rug pull in the DeFi space. This happens when the creator of a token withdraws all coins from a liquidity pool, removing all the value that investors have put into the currency, driving its price down to zero. Liquidity pools are an essential part of DeFi protocols, enabling users to trade cryptocurrencies without relying on centralized exchanges.
Liquidity pools consist of funds provided by liquidity providers (LPs) in exchange for a share of trading fees. LPs deposit equal amounts of two cryptocurrencies into the liquidity pool, and in return they receive liquidity pool tokens, which represent their share in the pool. These tokens can be redeemed for the underlying cryptocurrency at any time. A liquidity rug pull occurs when the creator of the project withdraws the deposited funds and runs away with them, leaving the liquidity provider with worthless tokens.
Limit Sell Order
Limit sell orders are a more subtle way for malicious developers to defraud investors. In this type of rug pull, the developer codes the tokens so that they are the only party that can sell them. The developer then waits for retail investors to buy their new cryptocurrency using a pairing currency. A pairing currency is two currencies that are traded in pairs, one against another. Once there is enough positive price movement, they dump their position, leaving behind worthless tokens.
Dumping
A dump is when a developer quickly sells off a large amount of their own tokens, driving down the price and leaving remaining investors holding worthless tokens. It often happens after a heavy promotion on social media platforms, and the resulting surge and sell-off is known as a pump and dump scheme. This falls into more of an ethical gray area than other DeFi rug pull scams. Generally speaking, it is not unethical for crypto developers to buy or sell their own coins. When it comes to DeFi crypto rug pulls, "dumping" is a question of how much tokens are sold and how fast.
How to Identify and Avoid Rug Pulls
Here are 6 signs to watch out for that they may be at risk for a rug pull:
Unknown or anonymous developer
Investors should consider the credibility of the people behind new crypto projects. This includes whether the developers and promoters are well-known in the crypto community? What is their track record? If the development team is investigated but not well-known, do they still look legitimate and can deliver on their promises? Therefore, unknown or anonymous project developers are actually a red flag. While the world's original and largest cryptocurrency was indeed developed by Satoshi Nakamoto, who has remained anonymous to this day, times are changing.
No liquidity lock-in
One of the easiest ways to distinguish scam coins from legitimate cryptocurrencies is to check if the tokens are set with liquidity locks. If the token supply is not locked with liquidity, it means that the project creator can run away with all the liquidity. To ensure security, liquidity is protected by time-locked smart contracts, which generally last for three to five years. Although developers can customize their own time lock scripts, third-party token locks may be more secure.
In addition, investors should also check the percentage of liquidity pools that are locked. The effect of lock-in is proportional to the number of liquidity pools it protects. This ratio is called the "total value locked" (TVL) and should be between 80% and 100%.
Sell Order Limit
Bad actors can program tokens to restrict certain investors from selling their holdings. These sales restrictions are a hallmark of scam projects.
Because these sales restrictions are hidden in the code, it can be difficult to determine if there is a scam. One way to test this is to buy a small amount of the new tokens and then immediately try to sell them. If the attempted sale has problems, then the project is likely a scam.
Price surge for limited token holders
We should be wary of sudden and large price swings in new tokens. This is even more necessary if the tokens do not have locked liquidity. Typically, a large surge in the price of a new DeFi token is often preceded by a "pump" before a "dump". In this case, investors should be skeptical of token price movements and use block explorers to check the number of token holders. If only a few people hold a token, it is vulnerable to price manipulation. At the same time, a small number of token holders may also mean that some large holders will sell their positions, causing serious and direct damage to the value of the token.
Suspicious high returns
If something sounds too good to be true, it probably is—not to be trusted. If a new coin’s yields seem suspiciously high, but they aren’t, it’s likely a Ponzi scheme. While it’s not necessarily indicative of a scam when a token offers a triple-digit annual percentage yield (APY), these high returns often translate into equally high risks.
No external audit
Formal code audits by reputable third parties have become a standard practice in today’s cryptocurrency market. For decentralized currencies and DeFi projects, receiving a default audit is a must.
However, as a potential investor, you cannot just trust the development team’s claim that an audit was conducted. The audit must be verified by a third party and show that nothing malicious was found in the code.
At the same time, investors should be aware that these signs by themselves do not necessarily mean that the project is a rug pull, but they should raise red flags and prompt further investigation before investing in the project.
By checking the above 6 signs, you can reduce investment risks to a great extent. At the same time, to avoid losses from rug pulls, we can also further check:
1. Whether the project owner has open sourced the contract code and has undergone strict auditing
2. Whether the project owner has issued relevant security measures and emergency remedial measures at the same time
3. Does the project have high authority to transfer user funds in the contract?
4. Check that project permissions are not highly centralized, but managed using multi-signature, time lock, etc.
5. Check whether the token holders described in the project white paper are consistent with the actual token issuance situation, and track the token issuance address and time.
Perform due diligence
Performing due diligence on a project is a necessary step to ensure a safe investment. In addition to watching out for the signs mentioned previously, investors should also be cautious of the hype and FOMO (fear of missing out) surrounding new projects. Fraudulent projects often attract investors quickly by creating a sense of urgency and hype, but investors should take the time to conduct thorough research and due diligence before investing. When conducting due diligence, investors need to verify the legitimacy of the project team and check its track record. In addition, one should also look for transparency, which can be obtained by reading the project's white paper, website, and other materials.
Investors need to ask themselves these questions: Is the project team an experienced and credible member of the crypto community? Have they worked on successful projects before? It is also important for investors to thoroughly understand the project's smart contracts. Investors should verify that the smart contract code has been audited by a reputable third-party auditor to ensure that there are no hidden malicious backdoors or exploitable code.
To sum up, investors should spend sufficient time and energy to conduct due diligence to avoid investment risks.
Conclusion
Currently, rug pulls have become a serious problem in the cryptocurrency world, causing many investors to lose billions of dollars. In this article, we learned what rug pulls are, its different types, and how to identify and avoid these scams. We explored some signs, such as high returns, anonymous development teams, lack of audits and transparency, which may indicate that a project is at risk of fraud. We must learn to identify and avoid rug pulls in investment projects and protect the safety of our assets. All projects can be investigated or audited by professional teams before investing. At the same time, as the crypto industry continues to develop and attract more investors, individuals, regulators, and law enforcement agencies also need to work together to prevent and punish fraudulent activities.