NFT Smart Contract Security Audit: Ultimate Guide
Smart contract vulnerabilities in NFTs lead to security issues. Regular NFT smart contract audits migitate the risks of hacks.
🇺🇦 Hacken stands with Ukraine!Learn more
Rug pull is the 2nd most common type of security issues in crypto. Shortly, it’s easy as a pie scam that still brings unethical players millions of dollars. Your community members may also appear rug pulled by other projects. Thus, you need to protect them from this scam. To this end, put yourself these questions:
In this article, we have prepared for you structured and practical material covering all major points related to rug pulls in crypto in 2023.
Rug pull refers to any malicious maneuver performed by developers to abandon a project and exit with all investors’ money. Although rug pulls are unethical and sometimes even illegal, they often appear legitimate and investors do not even suspect any hidden threats. Rug pulls mostly affect DeFi, NFT, and Metaverse areas of Web3 but can happen with any other projects.
A common rug pull scheme is easy to deploy. Developers create a token with an attractive name and groundbreaking promises. They claim their token meets almost all users’ demands and can multiply their investments by 10, 100, 1,000, or even more X. When the scam token price goes up, more money are injected into the product until the pool becomes so big that developers suddenly decide to steal all this fortune.
Stealing process is the following: developers sell or remove all liquidity from the project pushing price to 0. Scammers may also use back doors in smart contracts to steal investors’ funds.
There are 3 main types of rug pulls:
All rug pulls have 2 common forms:
The incident took place in June 2021 and is an example of a hard rug pull. Scammers deployed the code library different than the one cited in the source code. Neither Etherscan nor BscScan could verify the library source code. Users were granting permissions to StableMagnet and thereby allowed scammers to drain pairs. The back door in the smart contract allowed scammers to transfer more tokens to all wallets that previously approved StableMagnet. The project lured users by offering huge returns on deposits. Generally, >1,000 users were affected by the incident.
In this case, users falsely believed they were interacting with a safe protocol. However, only the involvement of a professional auditor might have prevented this rug pull. Users themselves could not timely identify the malicious scheme.
AniMoon case that took place in June 2022 is an example of a soft rug pull. The project positioned itself as a play-to-earn game featuring 9,999 programmatically generated Animoon NFTs. It claimed that Pokemon-derivative NFTs were produced in partnership with TopDeck, official Pokemon partners. The team contacted a serial scammer Jake Paul to shill AniMoon.
In reality, the project did not deliver any real-world products such as T-Shirts and shoes to investors and cash rewards ($2.5K per month) for legendary holders taken from the public wallet. The team also claimed they developed a profit-making P2E game but there was no evidence that this game was real. Generally, all major posts and announcements made by the project on its media pages did not contain any proof.
The crypto sleuth ZachXBT revealed that $6.3M raised by Animoon was transferred to the Binance and KuCoin accounts linked to the project’s contract deployer and co-founder.
AniMoon founders were previously involved in other scam cases such as taking money for investment and coaching services they had never delivered to clients. This incident is an example of the power of crypto shilling which, however, may have disastrous implications for investors.
The BNB Chain-based Teddy Doge project made a pump and dump rug pull. The project claimed to offer cross-chain products, NFTs, and token swaps. During the ICO it managed to raise hundreds of thousands of dollars. The wallets connected to the project’s developers sold over $4.5M within 1 week. These tokens were exchanged for wrapped BNB. Under the project’s tokenomics, the big share of tokens was allocated to the manager’s account and then sold in bulk. The rogue developers controlled the project’s liquidity pools.
Although the project team did not immediately abandon the project, it did not provide any useful assistance to the affected investors and only tried to explain the rug pull by cross-chain bridge issue or developer wallet leak. The team behind Teddy Doge even announced the launch of a new $DRAC token that would be given in airdrops to affected investors.
Although rug pull is one of the most popular forms of crypto scam, bad actors behind these malicious schemes mostly rely on users’ naivety and lack of basic cybersecurity knowledge rather than the use of complex manipulations. Thus, by educating users on cybersecurity you can reduce the scope of damage brought by rug pulls to the industry or even make this form of scam just a piece of crypto history.
And there are first positive signs. According to Immunefi, in 2022, the crypto world lost around $175M in different forms of fraud including rug pulls representing a 96.9% decrease compared to 2021. Fraud accounted for just 4.4% of total crypto crime volume.
There are simple but very effective tips by following which your users can prevent being rug pulled and leave scammers with 0 profits. So, we strongly recommend you to share these tips with your users:
Thus, rug pulls are mostly the result of insufficient users’ awareness about cybersecurity. Do not let scammers easily steal your users’ money, help them stay away from suspicious projects.
A rug pull is a form of fraud whereby developers exit a project with all investors’ money or sell their whale allocation to extract all profits meaning investors are left with worthless assets.
NFT rug pull is always unethical but only sometimes illegal. Hard rug pulls are always illegal while soft rug pulls, in most cases, are only unethical, meaning the bad actors do not violate any legal rules.
Rug pull in crypto is a form of crypto scam that does not involve any third-party attacks and is carried out by insiders, in most cases, by project developers and owners.
Rug pull may be classified as a crime only if there are respective regulations in the jurisdictions where a project operates. Each rug pull case needs to be investigated individually to determine whether it is a crime or just a form of unethical behavior.