Nearly $10 billion were stolen in DeFi scams and thefts only in 2021, representing an 81% rise compared to 2020, and rugpulls accounted for over 35% of all crypto scam revenue.
This is according to a recent report by Elliptic. And while there are many types of scams that take place regularly within the cryptocurrency community, rugpulls are arguably the most infamous.
So, What is a Rugpull in Crypto?
A rugpull — from the phrase to pull the rug from underneath someone — refers to a type of scam where the development team behind a decentralized finance (DeFi) project runs away with investors’ funds by selling or draining its liquidity.
In DeFi, liquidity refers to the number of crypto assets poured into a liquidity pool and locked into a smart contract, and that’s a requirement for operating an automated market maker (AMM) and decentralized exchanges such as Uniswap.
To grasp at the basics of how Uniswap (and other similar DEXs) work, please take a look at our detailed guide.
In essence, just like with centralized exchanges, liquidity is essential in DeFi-based protocols as it facilitates users to execute transactions between multiple assets without causing massive price swings in the assets’ price. We’ll talk more about liquidity later in this guide.
Rugpulls are frequently associated with the DeFi space due to how simple it is to create a new cryptocurrency and get it listed on a decentralized exchange (DEX) without having to go through a Know Your Customer (KYC) process and running a third-party smart contract code audit that will ensure the code has no known vulnerabilities. However, keep in mind an audit doesn’t necessarily assure a project’s legitimacy.
In light of the above, it’s also true that the community is getting more and more suspicious of unaudited protocols as more experts continue joining the field.
Understanding Rug pulls
Now that we have a basic idea of what rugpulls are let’s see how they usually unfold. Typically, developers of a project create a new token — usually based on Ethereum’s ERC-20 standard, but also on other layer-one networks such as Solana, Avalanche, or the Binance Smart Chain — and list it on an open-source DEX like Uniswap (Ethereum), Raydium (Solana), TraderJoe (Avalanche), or Pancakeswap (Binance Smart Chain).
Once created, the developers have two options to inject liquidity to the DEX: via a liquidity pool — in which the token is paired with a more popular cryptocurrency like Ether (ETH) — or via an IDO (Initial DEX Offering), in which a project’s token makes its first public debut on the DEX to raise funds from retail investors.
For most legitimate projects, the proceeds are locked for a certain period after the event, and this is how you can spot the first red flag — whoever plans a rugpull usually doesn’t lock up the liquidity in order to later remove it from the pool.
Whichever way, the developers usually will promote a crypto scam with enough marketing to hype up investors into buying the token by promising unrealistic APY (Annual Yield Percentage). The APY is a percentage of return earned on an investment for a year. Be careful — a high APY doesn’t necessarily mean that a crypto project is a scam, however, it does translate into higher risk.
The team would move on to create various social media channels, including Discord, Twitter, Instagram, etc, with fake identities or remain totally anonymous. Another disclaimer here would be that not all anonymous teams turn out to be scammers – in fact, anonymity is a highly proclaimed value of the industry that many participants uphold dearly.
The main idea is to create hype, albeit fake, as much as possible while trying to look as legitimate as they can on social media. Some scammers will even fake attacks to their protocols and then warn investors of potential scammers and hackers, giving themselves an air of legitimacy.
Once enough victims are engaged and provide sufficient liquidity to the project, the scammers can sell their share of tokens all at once at a high price while draining the liquidity pool.
Without sufficient liquidity, investors are forced to sell at a much lower price, losing a significant amount of money. If the project isn’t audited by a well-known auditing company, then developers can sneak backdoors hidden in the protocol’s smart contract code. Once all the liquidity is drained, and investors’ funds are in the hands of the development team, the team often proceeds to erase all traces of the protocol by deleting its official website and social media channels.
How to Spot and Avoid a Potential Rugpull
There are numerous red flags we can spot in a DeFi project.
As a side note, before investing in a cryptocurrency project, always make sure you do your own due diligence and research to avoid losing a considerable amount of money — and always invest what you can afford to lose.
For more must-know crypto trading tips — read here.
This is a critical factor you should consider. An anonymous team or pseudonymous profiles frontrunning a cryptocurrency project is a sign to suspect. But let us elaborate.
The way you understand anonimity, however, is up to debate. There are plenty of well-known developers within the cryptocurrency field that haven’t been doxxed, but they have a verifiably proven track record. Therefore, the fact that their real identities are unknown isn’t necessarily a red flag.
On the other hand – a fully doxxed team without a proven track record can be an even bigger red flag. Therefore, it’s important to navigate these circumstances very carefully.
Remember – don’t trust, verify.
In any case, investing in a project led by people who are anonymous and have no previous track record significantly increases the risk profile of your play, and you should most certainly be aware of that.
Incomprehensible, Unclear Whitepaper
The project might have a whitepaper (a document that outlines its purpose and its technical components) written in an incomprehensible, ambiguous way and with a non-existent working model, meaning it’s more conceptual with no actual product.
Keep an eye on this one, too: the whitepaper might be written in a way that looks more like a marketing play than actually offering something useful or innovative to the DeFi ecosystem.
Disproportionate Token Allocation
If the token distribution favors developers, stay away from the project. Make sure you check out the token allocation and the supply release schedule.
You can use block explorers like Etherscan to see how the tokens are distributed, the number of token holders, and how much each of them holds.
A balanced token supply distribution usually translates to a safer investment.
No Lock-Up or Vesting Periods
After an IDO, developers renounce ownership of the tokens by locking up the liquidity pool, guaranteeing that the liquidity remains untouched for a sufficient period of time. No lock-up periods mean that developers can drain the liquidity at any given time, forcing investors to sell at a loss.
A lack of a comprehensive vesting period, on the other hand, might mean that the early backers and the team themselves are misaligned with the project’s goals. This might translate to the so-called “slow rug.”
This is a situation where seed investors who have no interest in supporting the project’s long-term vision but have entered just because they had an opportunity to be early, slowly sell their tokens over time, essentially crashing the price. A project that has gone through something of the sort typically has a chart that looks like that:
Low Liquidity and Total Value Locked (TVL)
Always check the liquidity of the DeFi project by looking at its 24-hour trading volumes. If it is low, then it’s easier for the development team to manipulate the token’s price.
If the project that you are researching has some sort of staking mechanism or allows you to provide liquidity, then you should also consider the total value locked (TVL) in it. This metric is pretty much self-explained – it shows you how much money is staked/locked in the project at that time. The higher this number is, the more people have faith in it.
Defi RugPulls: Long History of Events
AnubisDAO was a memecoin cryptocurrency marketed as a fork of OlympusDAO, a DeFi reserve currency baked by bond sales and fees from liquidity providers. AnubisDAO debuted with an Initial Coin Offering that amassed $60 million raised from investors, only later to be transferred to a single wallet and rugged.
Meerkat Finance was a yield vault DeFi project launched on the Binance Smart Chain (BSC). A day after its debut, the protocol’s vaults “suffered” a security breach in which developers drained over $31 million. In reality, the Meerkat deployer contract was modified to allow the vaults to be drained shortly before the launch.
Luna Yield was a Solana-based cross-chain yield aggregator, launched on Solana’s finance launchpad SolPAD. The protocol’s developers removed the liquidity after stealing nearly $10 million worth of several tokens —all social media channels and the official website were taken down shortly after.
TurtleDEX was a decentralized exchange built on the BSC network. The protocol debuted with a presale round that raised roughly 9,000 BNB, which in that time amounted to $2.5 million. However, the team drained the liquidity from the trading pools on BSC, exchanged the TTDX tokens for ETH, and then sold the funds on the Binance exchange.
Aside from being a promising future, Decentralized Finance is considered the wild west of the crypto industry.
The ecosystem is full of opportunities for developers and crypto-enthusiasts to explore and create new technologies. This is also true for investors who get to back them early on.
But as with any booming industry, scammers and malicious actors will always try to find and exploit vulnerabilities in the ecosystem or pose as legitimate projects offering exaggerated returns with no working model whatsoever. This is why you should always do your own research before investing, and always invest what you can afford to lose.