Dismantling Rug Pull: Detailed Analysis of DeFi Scam Routines

Cryptocurrency scams are on the rise, and to make matters worse, there are still many that go undetected. Investors need to assess the risk of cryptocurrency fraud when choosing a cryptocurrency project, and regulators should step up their efforts to prevent consumer harm and ultimately improve market integrity, transparency, and consumer protection standards.

Author: Solidus Labs Team

Compilation: PANews

Rug pulls are one of the most common scams in the cryptocurrency industry, and frankly, while many have been exposed, there should be many that go undetected. According to SolidusLabs data, at least 188,000 Rugpulls potential scams have been deployed on Ethereum, BNBChain and some top Layer 1 blockchains.

Which blockchains have the most RugPulls token projects?

Data shows that 12% of BEP-20 tokens on the BNB Chain show signs of fraud, while 8% of ERC-20 tokens on Ethereum show signs of fraud, while approximately $910 million in fraud-related ETH are processed through centralized or regulated cryptocurrency exchanges. According to data from blockchain analysis unit Chainalysis, 11 DeFi protocols were attacked in October, affecting $718 million in cryptocurrency assets, setting a record for the highest monthly cryptocurrency loss so far this year.

As one of the largest cryptocurrency exchanges in the blockchain ecosystem, the constant addition of new features and an ever-expanding user base are likely the main reasons why scammers and hackers target Binance. Binance seems to be aware of the prevalence of smart contract scams on its blockchain network, and has now integrated risk monitoring tools to detect risks in real-time and promptly notify users of potentially risky projects, including RugPulls and other scams, so what does RugPulls generally have?” trick”? Next, let us analyze it in detail.

Rug Pulls Project “Routine”

RugPulls, also known as “fraud tokens” or “DeFi scams”, are projects that carefully design code in smart contracts to steal funds from retail investors. The code design goals usually involve:

1. Prohibition of secondary sales

2. Allow project developers to freely mint new tokens

3. Charge the buyer 100% of the sales fee

The RugPulls project party hides these scripts in the tokens, and once purchased by retail investors who do not know the truth, they will face huge risks. For the most part, RugPulls tokens look exactly like other cryptocurrencies on the market, and will “comply” with the blockchain’s homogeneous token standard, but the real problem is hidden in a deeper layer of smart contract source code.

Since the birth of Bitcoin, the cryptocurrency industry has become more and more mature. At the same time, fraudsters have also figured out the underlying routines of encryption, and can make a lot of modifications to the underlying smart contracts that restrict the recording of transaction conditions and rules on the blockchain. . To enforce RugPull, fraudsters often hard-code malicious rules into smart contracts that not only give themselves additional powers, but also deprive buyers of their fundamental rights. Typically, fraudsters launch the RugPulls project after deploying one or more vulnerable tokens.

Once the token is deployed, fraudsters create liquidity pools on decentralized exchanges (DEXs) and then pair the token with other “legitimate” cryptocurrencies. Next, they will artificially generate transaction volume and inflate the value of the token in this way, ultimately attracting the interest of retail investors.

In addition to the above “conventional means”, the RugPulls project may also “take stock” of its own legitimacy in the following ways, such as:

1. Create a development roadmap for fake websites and fake projects

2. Share fake partnerships and post some fake “avatars” of well-known developers

3. Advertise on Twitter, Discord, Telegram or other social media

As more and more people buy RugPull project tokens, the fraudsters behind the project will start brewing a sell-off. When enough users buy tokens, they will quickly sell the tokens and put them on the decentralized exchange. Exchange it into other cryptocurrencies, such as ETH, USDT, etc. A large-scale sell-off in a short period of time will quickly bring the price of the token to zero, and the RugPull conspiracy will succeed.

RugPulls Token Fraud Type Inventory

There are many ways for fraudsters to deploy malicious code in smart contracts of RugPulls tokens, but there are three main types of RugPulls in the current market, namely:

1. Hidden deployment of honeypot vulnerabilities

2. Hidden private token function

3. Hidden balance modification backdoor

Honeypot vulnerabilities often prevent token buyers from resale, while only developers can sell their own cryptocurrency holdings, and ordinary investors tend to experience a transaction similar to “Undefined transaction failed due to error; may be due to There is a problem with one of the tokens you exchanged”, causing the withdrawal to fail. Honeypot scams often lead to a rise in the price of tokens in a short period of time, which in turn induces more users who do not know the truth to buy. A typical example is the Squid Game token (SQUID), which uses the popular Netflix drama “Squid”. The name of “Game” has attracted many people to buy it, but the project party has embedded a honeypot vulnerability in the smart contract, making the Squid Game token look like a promising cryptocurrency, and more than a few days after its launch. 3.36 million US dollars of funds entered the venue, but it was eventually looted by the project party. According to the data, as of October 25, 2022, the number of token projects with hidden honeypot vulnerabilities in the market is about 96,008.

The private token function is also one of the most common tactics used by fraudsters, they will give one or more “externally owned accounts (EOA)” specific permissions, allowing them to use hidden functions in the token contract to mint new tokens . When a fraudster successfully invokes the minting function, there will be a large number of tokens that will be sold to the market, resulting in the value of other holders’ tokens being greatly reduced or even worthless. According to the data, as of October 25, 2022, there are about 40,569 token projects in the market that hide the function of private token creation.

Deploying a balance modification backdoor is somewhat similar to deploying a private token function. Fraudsters will grant one or more “Externally Owned Accounts (EOA)” specific permissions, allowing them to modify token holders’ balances. When an “Externally Owned Account (EOA)” (EOA)” sets token holders’ balances to zero, they cannot sell withdrawals, and fraudsters can either withdraw liquidity or mint/sell tokens to exit.

Summarize

Cryptocurrency scams are on the rise, and to make matters worse, there are still many that go undetected. Investors need to assess the risk of cryptocurrency fraud when choosing a cryptocurrency project, and regulators should step up their efforts to prevent consumer harm and ultimately improve market integrity, transparency, and consumer protection standards.

Source of information: Collected from the Internet by 0x information.The copyright belongs to the author “PANews” and may not be reproduced without permission

Total
0
Shares
Related Posts