Rug pulls are one of crypto’s most pervasive scams and, until today, the vast majority have gone undetected. Solidus data indicates that more than 188,000 rug pulls have been deployed on Ethereum, BNB Chain, and other leading blockchains – far more than previous estimates.

These rug pulls – also known as “scam tokens” or “DeFi scams” – are not just abandoned crypto projects, as the traditional definition of a rug pull often suggests; Rug pull tokens are explicitly programmed to steal from retail investors. Their smart contracts often include scripts that disable secondary sales, allow developers to mint new tokens, or that charge buyers sell fees of 100%. Together, these tokens contribute to the hidden theft of hundreds of millions from crypto users.

The anatomy of a rug pull token

In most respects, rug pull tokens are just like any other cryptocurrency, abiding by their respective blockchains’ fungible token standard. Where they differ is in their source code.

Over time, scammers have learned how to make dozens of different modifications to their tokens’ underlying smart contracts. Smart contracts are software programs that establish conditions and rules in connection to transactions recorded by on the blockchain. To execute rug pulls, scammers hard-code malicious rules into the smart contract to give themselves additional power – or strip their buyers of basic privileges. Scammers tend to initiate their rug pulls by deploying a token with one or more of these exploits embedded.

After deploying a token, the scammer creates a liquidity pool on a decentralized exchange (DEX). This establishes a trading pair between that token and hundreds or thousands of dollars worth of a more popular, legitimate one, like Ethereum. They then generate artificial transaction volume to inflate that token’s value and attract investor interest.

They may also feign legitimacy by:

• Publishing a website or roadmap,
• Sharing fake partnerships or the names of “doxxed” developers, or
• Advertising on Twitter, Discord, Telegram, or other social media apps

When enough users have bought into the scam token, the scammer sells their holdings in exchange for the now-larger sum of legitimate tokens in the liquidity pool. This drives the scam token’s price towards zero, thereby concluding the rug pull.

Types of rug pull token exploits

Scammers program their crypto tokens to pull the rug out from under investors in a number of different ways. Three popular types of rug pull exploits – honeypots, hidden mints, and hidden balance modifiers – are outlined below. 

Honeypots

Number of honeypots detected by Solidus Threat Intelligence as of October 25th, 2022: 96,008

A honeypot is any exploit that prevents the buyers of a token from reselling it. This inability to sell causes the token’s price to increase, creating the appearance of a “mooning” token and tricking even more users into buying it.

The most famous example of this exploit is the Squid Game token (SQUID). Capitalizing on the popularity of the eponymous Netflix series, SQUID embedded a honeypot exploit in its deployment contract, making it look to many investors like a promising meme coin — another Dogecoin or Shiba Inu. Within days, investors had spent over $3.36 million buying SQUID, and the developers used this opportunity to run off with the funds.

Source: Coinmarketcap

Hidden mints

Number of tokens with hidden mint functionalities detected by Solidus Threat Intelligence as of October 25th, 2022: 40,569

A hidden mint is an exploit that allows one or more externally owned accounts (EOAs) to mint new tokens using a hidden function within the token contract. After calling the mint function, the scammer dumps the extra tokens in the market, rendering the originally minted tokens that users hold worthless.

Hidden mints often accompany honeypots.

Hidden Balance Modifiers

Number of tokens with hidden balance modifiers detected by Solidus Threat Intelligence as of October 25th, 2022: 7,907

A hidden balance modifier is an exploit that allows token holder balances to be modified by one or more EOAs, or by the contract itself. When the EOA sets holder balances to zero, this makes selling impossible. The scammer then removes liquidity or mints/sells tokens to exit the scam.

Additional typologies

Other typologies include fake ownership renunciations, hidden fee modifiers, hidden transfers and external contract calls. In our forthcoming Rug Pull Report, we analyze these exploits and more in greater detail.

How Solidus Threat Intelligence spots rug pulls, early, accurately, and at scale 

Solidus Threat Intelligence combines proprietary on- and off-chain datasets with Token Sniffer’s smart contract scanning technology to spot rug pulls as soon as they’re deployed. This gives crypto businesses both a window into their compliance posture and an opportunity to prevent DeFi scammers from cashing out. In this way, companies can protect their users, root out bad actors, and address regulatory enforcement risks.

Learn how Solidus Threat Intel can help your business tackle crypto AML:

Source