Avoiding Rug Pulls at Web3, Part 2: Social Engineering

Marco Worms
7 min readJan 29, 2022

--

This article has been reviewed and republished unifying both parts, click here to go to the latest version: https://mirror.xyz/blorms.eth/LI0i-2v2Qs5UX2NV_L6zA8JMOteoOw0jWSm4e8ZR2oo

My attempt to draw a rug pull

This part tries to give some skills and ammunition to those who are walking unarmed as of now against common scams that use social engineering. I hope to shed light on:

  • Where malicious developers target users
  • Where malicious users target users
  • Where malicious users target developers

In this context:

  • A developer would be someone that is building/selling something for the crypto community
  • A user is someone with individual interests in consuming products or interacting with a community
  • A malicious person is someone who is trying to coax you into performing an action that will end in a bad outcome for you (unexpected from your point of view) and a good for them (expected in their point of view)

A thing I’d like to point out is how being malicious in many contexts is about not disclosing information that will lead ultimately to someone’s loss (which is a basic mechanic of social engineering attacks)

Social Engineering is the art of breaking systems by manipulating people instead of hacking code. Kevin Mitnick (one of the idealizers of modern Social Engineering practices) is probably amazed by all the opportunities cryptocurrencies provide for social engineers to wreak havoc. Unfortunately, most of these opportunities when exploited will likely result in a huge loss of capital to individuals who don’t necessarily have tons of cash.

Where malicious developers target users

This type of scam comes in many different forms:

1. Developer releases a token that when bought by users can’t be sold (rigging a standard contract, in this case, ERC20)

The only way to be absolutely sure that a token can be sold after being bought requires viewing the contract’s source code to verify the token is not malicious.

Since most users are not coding auditors, the next best way is to find out whether the token has been audited by a reputable firm. You can find a list of reputable auditors on defisafety.com. Even if a project has not been audited, you can also use DefiSafety to find out what experienced DeFi users think of the token.

Worst case; you can test whether a token is sellable by buying the token with a very small amount of funds to see if you can sell it back. This should be used as an absolute last resort; contracts can be programmed to act nicely for small transactions, then to steal if you perform a larger transaction!

Since contracts can become mutable it’s nice to know why the devs designed it like this. If you don’t know how to check whether a contract is immutable, you can read the audit or ask in the community channels; someone from the community can probably help you with this (or the devs when they are legit).

2. Developer promises new tech that makes users buy their tokens and don’t deliver the promised tech

This one requires more knowledge of tech/products and on how software delivery functions to separate teams with empty promises and the ones that are actual builders:

  • Does the team change directions all the time? If it does, do they care to explain why to the community?
  • Is the overall project’s communication bad? If yes, does it looks intentional?

Groups of brilliant technical people often struggle with managing communities and the people side of things, bad communication does not always mean rug pull. In fact, sometimes the teams are just exhausted and they have difficulties re-establishing new expectations within the communities.

In the above case, the FUDers create excellent entry opportunities for experienced investors since prices go down even though the project tech delivery didn’t change at all. It would have never been delivered on the said date in the first place, the team sometimes is just bad at handling communication and development at the same time and rather focus on development

  • What did the team deliver already? How was their process of promising these past deliverables?
  • What do their social media sell?

Do they talk about their community achievements, released/upcoming features that look real (products are better when incrementally evolved, revolutions aren’t good for the product development process), and engage meaningfully with other protocols? Then they might be in for the long run! You should definitively join their community channels and engage with what they are doing, it gives them strength to keep going!

Do they sell “more money”? Long-lasting protocols and projects are not based on “buy my NFT because you’ll be rich”. Red Flag!

3. Developer releases a (maybe) legit project but decides to pull the rug on everyone because “fuck the community”

A project’s “rug-ability” is defined by many factors, here are some things to keep an eye on:

  • Are the developer team’s funds locked over time? Can the devs dump all their tokens on the market?
  • What are the incentives that the developers have to not delete social media and vanish? If the team is fully anon, is there anyone reputable backing this team?
  • Is this protocol that you are investing in known and respected by the community?

For example, at Yearn Finance at Fantom USD stables you can get up to 20% APY (annual percentage yield) today and the protocol is battle-tested, probably the lowest risk you can find around. But you can also ape in the newest shiny aggregator that has 69420% APY! The difference is that Yearn has way more liquidity in their pool and way less incentive to pull the rug on you.

Where malicious users target users

Besides malicious developers, we also have malicious users. Here is what they like to do:

1. Message you on closed channels

Since on open channels they’d be busted by the community. So Turn off DMs for discord you have no need to receive DMs from its users and prefer open channels over closed ones:

Disabling DMs from a Discord channel

DefiLlama would never DM you about an exclusive NFT offer. Those types of events in any project are always announced on official channels (we’ll talk more about flaws on this in the next section), developers don’t want to use marketing tactics that scammers use (since it makes them look like scammers and often they have a poor conversion of long-term users), so if all scammers are DMing people on discord linked for fake mints then legit devs will probably use other means of announcement to not confuse their potential userbase

On Telegram (or Discord too) if you ask on a protocol channel “hey I need help” someone will probably DM you telling you they are admin/mod/helpdesk. Guess what: those won’t DM you! DMs are mostly scams.

2. Sometimes they pretend to be the developer of a project.

Always verify the first time someone sent you a message that this is the real person

There are different ways to do this, simply go to the person’s official profile and click the “send private message” button from there (works on twitter and discord). This will guarantee that the chat opened is truly linked with that official profile and you didn’t oversee an l for an I (even skilled users may fall for an “l” that looks like an “I”).

Also, multimillionaire protocol teams would never reach you out for funds or for help to interact with a contract. They would probably rather open an entire DAO to gather funds before sending you a message for this, so always double-check when someone comes to you trying to pass themselves as some kind of authority.

3. Other times they pretend to need your help to get something done.

Please help people out, people need this in the space, but no one needs your secret recovery phrase to get help. You don’t have to send funds to help either. By simply giving attention and guidance to anyone that comes to your door you are already doing so much more than many people around the internet. If you want to trust people over the internet and send them your password or funds, you might actually be sending it to the politician you most hate in the world, so this is why I believe helping with information and education is the most efficient way to help people around without exposing yourself to weird risk.

Where malicious users target developers

On the above points is it’s either a developer screwing a community or an individual screwing another one. But in this third case here we’ll have a third party ruin an entirely “healthy” ecosystem, at many times at the cost of the developer’s reputation (which can be fixed in the long run) and also people’s wallet (which generates a huge riot from those who got rekt). Normally what we get in return from these cases is a hurtful DeFi security lesson (and many times this lesson was already learned in the past, in these cases it hurts even more and people get even madder)

Here are some ways things can go bad quickly:

1. A malicious user hacks a developer account and posts a scam link on the official channel

I honestly don’t know how to fully prevent this one. Since it comes from an authentic figure of authority it will probably wreck many people. The only thing the community can do here is demand good security practices from the dev team, for example: all admin/mods enable 2-factor. Recently a famous gaming project called Fractal had “373 of its members scammed out of a total of 800 in Solana cryptocurrency, worth $150,000” in a hack like this.

2. A malicious user hacks one of the protocol’s contracts and drains its funds

Your only safety here as a user is to put in DeFi money you can afford to lose, especially in new protocols, and split the risk accordingly. You can expose yourself to less risk by using protocols that are audited, but many hacks happen in protocols that are audited so they aren't hack-proof by any means: The 30m+ U$ recent Grim Finance hack in the Fantom network left many people with a bitter taste in their mouth. They were audited and most of the code was “battle-tested”, but new code got exploited.

Producer: Worms.

Thanks Ben for helping with part 1!

--

--