Audits
Services
Services
Smart Contract Audit
Blockchain Protocol Audit
Penetration Testing
dApp Audit
Crypto Wallet Audit
Cross-Chain Bridge Audit
Bug Bounty
Proof of Reserves
CCSS Audit
Tokenomics Audit & Design
Smart Contract Audit
Mitigate weaknesses in your smart contract and improve its functionality with a double line-to-line code analysis and a separate review by a lead auditor.
Blockchain Protocol Audit
Secure the entire architecture and implementation layers of your blockchain protocol with professional security audits and testing.
Penetration Testing
Proactively detect vulnerabilities in your Web3 project by subjecting your systems to a simulated cyberattack in a secure and controlled environment.
dApp Audit
Identify vulnerabilities in applications interacting with blockchain networks with secure code review and static security analysis.
Crypto Wallet Audit
Code review & static security analysis for crypto wallet apps.
Cross-Chain Bridge Audit
Code review & security analysis for cross-chain crypto bridges.
Bug Bounty
Receive only relevant bug reports or undergo crowdsourced penetration testing with the help of thousands of ethical hackers curated by HackenProof.
Proof of Reserves
Enhance transparency in crypto exchanges with independent on-chain proof of assets’ true collateralization.
CCSS Audit
Assess and strengthen your security practices, identify vulnerabilities, and safeguard valuable digital assets in the ever-evolving cryptocurrency landscape.
Tokenomics Audit & Design
Ensure your token model robustness and efficiency and convey trust to investors and community with our thorough, independent audit of protocol economic security.
Solutions
Post-deployment security solution
Hacken Extractor
Real-time smart contract protection from assets loss
Learn more
Solutions
Featured ecosystems:
Ethereum (EVM)
BSC
Polygon
Near
Avalanche
Fantom
Aptos
Sui
Optimism
zkSync
Arbitrum
Solana
Polkadot
Cosmos
Radix
Linea
MetaMask
Others
By Languages:
Solidity
Rust
Move
Blog
Company
Company

The window to exchange $HAI for Hacken Equity Shares ($HES) is now open > Claim your spot today

Rug Pull – Top Crypto Scams & How to stay safe from rug pulls

Rug Pull – Top Crypto Scams & How to stay safe from rug pulls

Share via:

Rug pull is the 2nd most common type of security issues in crypto. In Q1 2024, Web3 witnessed 15 high-profile rug pulls for a total loss of $64 million. Despite their deceptive simplicity, rug pulls continue to line the pockets of unethical actors at the expense of unsuspecting crypto investors. To effectively combat rug pulls and protect the community, it’s essential to ask the following questions:

What is a rug pull?
Can this simple scam bring >$1M to bad actors?
How to protect your community from this risk?

In this article, we have prepared for you structured and practical material covering all major points related to rug pulls in crypto in 2023.

Follow @hackenclub on 𝕏 (Twitter)

Rug pull explained

Rug pull refers to any malicious maneuver performed by developers to abandon a project and exit with all investors’ money. Although rug pulls are unethical and sometimes even illegal, they often appear legitimate and investors do not even suspect any hidden threats. Rug pulls mostly affect DeFi, NFT, and Metaverse areas of Web3 but can happen with any other projects.

A common rug pull scheme is easy to deploy. Developers create a token with an attractive name and groundbreaking promises. They claim their token meets almost all users’ demands and can multiply their investments by 10, 100, 1,000, or even more X. When the scam token price goes up, more money are injected into the product until the pool becomes so big that developers suddenly decide to steal all this fortune.

Stealing process is the following: developers sell or remove all liquidity from the project pushing price to 0. Scammers may also use back doors in smart contracts to steal investors’ funds.

Types of rug pulls

There are 3 main types of rug pulls:

Liquidity theft: creators withdraw all coins from the funding pool. As a result, the value locked in token disappears and investors are left with worthless assets.
Limiting sell orders: creators code a smart contact with embedded selling limitations meaning only they can sell tokens. However, most investors do not know anything about these limitations. Developers lure them claiming that limitations are temporary or resulting from a technical issue that can be resolved in a few days. However, after investors buy a lot of tokens, developers simply extract profits by selling all these assets and leaving people with the worthless asset.
Pump and dump: scammers rapidly buy a big volume of tokens (“pump”) to heavily increase its value and attractiveness in the eyes of existing and potential investors. At the same time, they conduct aggressive marketing campaigns appealing to investors. Their purpose is to persuade investors that buying this token is the only right decision for them. As a result, investors see that a token brings 10X or even 100X returns and enter this project. When hype reaches its peak, creators dump all their tokens to extract huge profits thereby leaving users with pennies.

All rug pulls have 2 common forms:

Hard rug pull: developers use coding to defraud investors. They embed hidden things into the contract and after investing their money in a project, users cannot perform any activities with their assets. Thereby, they get locked into the project while scammers get full power to perform token manipulations.
Soft rug pull: often has the “pump and dump” nature. Users can exit the project whenever they want but they are afraid of losing big profits and, thus, do not leave the project until its creators exit with all their money.

Examples of most shocking rug pulls

StableMagnet, $27M drained

The incident took place in June 2021 and is an example of a hard rug pull. Scammers deployed the code library different than the one cited in the source code. Neither Etherscan nor BscScan could verify the library source code. Users were granting permissions to StableMagnet and thereby allowed scammers to drain pairs. The back door in the smart contract allowed scammers to transfer more tokens to all wallets that previously approved StableMagnet. The project lured users by offering huge returns on deposits. Generally, >1,000 users were affected by the incident.

In this case, users falsely believed they were interacting with a safe protocol. However, only the involvement of a professional auditor might have prevented this rug pull. Users themselves could not timely identify the malicious scheme.

AniMoon NFT, $6.3M drained

AniMoon case that took place in June 2022 is an example of a soft rug pull. The project positioned itself as a play-to-earn game featuring 9,999 programmatically generated Animoon NFTs. It claimed that Pokemon-derivative NFTs were produced in partnership with TopDeck, official Pokemon partners. The team contacted a serial scammer Jake Paul to shill AniMoon.

In reality, the project did not deliver any real-world products such as T-Shirts and shoes to investors and cash rewards ($2.5K per month) for legendary holders taken from the public wallet. The team also claimed they developed a profit-making P2E game but there was no evidence that this game was real. Generally, all major posts and announcements made by the project on its media pages did not contain any proof.

The crypto sleuth ZachXBT revealed that $6.3M raised by Animoon was transferred to the Binance and KuCoin accounts linked to the project’s contract deployer and co-founder.

AniMoon founders were previously involved in other scam cases such as taking money for investment and coaching services they had never delivered to clients. This incident is an example of the power of crypto shilling which, however, may have disastrous implications for investors.

Teddy Doge, $4.5M drained

The BNB Chain-based Teddy Doge project made a pump and dump rug pull. The project claimed to offer cross-chain products, NFTs, and token swaps. During the ICO it managed to raise hundreds of thousands of dollars. The wallets connected to the project’s developers sold over $4.5M within 1 week. These tokens were exchanged for wrapped BNB. Under the project’s tokenomics, the big share of tokens was allocated to the manager’s account and then sold in bulk. The rogue developers controlled the project’s liquidity pools.

Although the project team did not immediately abandon the project, it did not provide any useful assistance to the affected investors and only tried to explain the rug pull by cross-chain bridge issue or developer wallet leak. The team behind Teddy Doge even announced the launch of a new $DRAC token that would be given in airdrops to affected investors.

How to avoid rug pulls?

Although rug pull is one of the most popular forms of crypto scam, bad actors behind these malicious schemes mostly rely on users’ naivety and lack of basic cybersecurity knowledge rather than the use of complex manipulations. Thus, by educating users on cybersecurity you can reduce the scope of damage brought by rug pulls to the industry or even make this form of scam just a piece of crypto history.

And there are first positive signs. According to Immunefi, in 2022, the crypto world lost around $175M in different forms of fraud including rug pulls representing a 96.9% decrease compared to 2021. Fraud accounted for just 4.4% of total crypto crime volume.

There are simple but very effective tips by following which your users can prevent being rug pulled and leave scammers with 0 profits. So, we strongly recommend you to share these tips with your users:

do not make fast investment decisions: find, read, and analyze before investing money;
do not believe in getting huge profits by investing just “a few dollars”;
read project’s tokenomics and check whether there are no holders with dominant ownership. If developers control the major share of allocation, try to stay aside from this project. Use block explorers such as Etherscan for allocation control;
be suspicious of sudden token price jumps. Huge price jumps are the indicator of price manipulation;
be afraid of anonymous teams claiming to be crypto gurus;
do not enter projects with no lock-up or vesting periods because it means that developers or other interested parties can drain liquidity any time;
test whether you can sell tokens;
use CER.live to check whether a project has an independent third-party audit.

Thus, rug pulls are mostly the result of insufficient users’ awareness about cybersecurity. Do not let scammers easily steal your users’ money, help them stay away from suspicious projects.

Follow @hackenclub on 𝕏 (Twitter)

FAQ

What does a rug pull mean?

A rug pull is a form of fraud whereby developers exit a project with all investors’ money or sell their whale allocation to extract all profits meaning investors are left with worthless assets.

Is an NFT rug pull illegal?

NFT rug pull is always unethical but only sometimes illegal. Hard rug pulls are always illegal while soft rug pulls, in most cases, are only unethical, meaning the bad actors do not violate any legal rules.

What is a rug pull in crypto?

Rug pull in crypto is a form of crypto scam that does not involve any third-party attacks and is carried out by insiders, in most cases, by project developers and owners.

Is rug pull a crime?

Rug pull may be classified as a crime only if there are respective regulations in the jurisdictions where a project operates. Each rug pull case needs to be investigated individually to determine whether it is a crime or just a form of unethical behavior.