8 Potential Warning Signs of a Rug Pull

Rug pulls are by far the most common type of fraud in DeFi, and they evolved out of the exit scam ICO craze.

According to CipherTrace, exit scams and rug pulls accounted for 99% of all DeFi fraud cases in 2020. In fact, based on what we’ve heard from the DeFi users we’ve spoken with, the dreaded rug pull is one of the biggest worries that keeps them up at night, tossing and turning, just wondering if their hard-earned money is going to all vanish in an instant — stolen by malicious developers.

The prospect of losing everything you’ve invested is terrifying, and worse, it happens all the time. That’s why we’re going to talk about how you, the user, can look for certain signs that a project may rugpull its users, because we believe that providing educational resources is important for the DeFi community. Security is the most important bottleneck in DeFi right now, and it’s holding the industry back from scaling effectively.

Now, it’s crucial to emphasize that the below signs are heuristics and shouldn’t be thought of as ironclad absolutes. Some projects may exhibit these signs and still be perfectly legitimate. Even if a project displays a lot of these signs, it may still be legitimate, but at that point, it’s probably worth a much closer look. The more red flags there are, the more you have a right to be cautious and even suspicious. It’s your money on the line, after all. We want to empower you to make good decisions.

But what exactly is a rug pull?

Rug pulls can be divided into hard, soft, and fake.

A hard rug pull is when a developer or set of developers includes a backdoor in the protocol codebase that allows them to easily drain user funds locked up in smart contracts and cash out. Sometimes a single developer goes rogue and takes advantage of a known or unknown backdoor in the protocol. Other times, all the developers are in on it. Sometimes the backdoors are obvious, as are the rug pulls themselves when they’re executed on-chain. Other times, the backdoors are cleverly disguised (just like traditional malware when it infects your computer), and user funds are drained slowly or through unobvious means.

A soft rug pull is when developers simply dump all their tokens and abandon the project, crashing the token price and leaving the project dead in the water. This case is more controversial because there’s technically no direct theft of user funds at all, and developers may be within their rights to dispose of their shares of the tokens as they see fit, if there’s no lock. It’s important to look at developer token distributions and protocol governance to determine what developers are allowed and not allowed to do with their tokens.

A fake rug pull isn’t a rug pull at all. Normal market activity frequently causes major fluctuation in token prices or returns on yield farming, and this leads to users making some big accusations against developers out of disappointment and frustration. But these accusations aren’t based in any reasonable definition of the term “rug pull”, and users should exercise responsibility by using the term with care. It’s not a trivial accusation.

So, what are the signs the protocol you’ve invested in may suffer a rug pull?

1. A project loudly proclaims that it’s been audited by a reputable firm when it’s either not true, or the audit is still ongoing. In other cases, the audit may exclude large parts of the codebase. This is a definite red flag, because at minimum, it shows blatant disregard for the truth. If a team is willing to lie about getting an audit to persuade users to ape into their protocol with lots of cash, it’s an indication that they may be willing to do other unethical things — such as stealing all your funds
2. There are a lot of centralized functions where the owner can move around any and all tokens
3. A broken website/dead or inactive social media channels. Are the developers active? Do they respond to questions and fix bugs? Do they put effort into the community?
4. APY or APR that is suspiciously high. Sometimes the APY is legitimate. Other times, it’s just a way to lure apes into throwing their money at a protocol that is about to get rugged
5. Token distribution that is incredibly centralized and not locked — -for example, a few wallets of developers and/or whales controlling 45% of the supply. If it’s an ERC-20 token, you can check token distribution on Etherscan by clicking on a token, navigating to the ‘Holders’ tab, and clicking on the ‘Token Holders Chart’ button. Here’s the Token Holders Chart for Uniswap. If it’s a token on Binance Smart Chain, you can check the token distribution on BSCscan
6. Does the project have a reasonable use-case, or is it just a pure fork by amateur developers with some new branding slapped over top?
7. Mass muting or banning users who bring up legitimate concerns with the protocol
8. The community wants a project to get a bug bounty, but the project doesn’t want any distributed, ongoing code review, whatsoever. Why? Because it might just find backdoors

There’s no doubt that there are other good signs out there of a rug pull, and this is not an exhaustive list. Remember, DeFi is a brand new field. While there are plenty of whitehats and good actors in the wild who run services and tweet out when they see suspicious activity, ultimately, the responsibility rests on your shoulders to be proactive and to assess and invest smartly.

There’s no central authority in DeFi, and once that money is gone, it’s usually gone for good, so make sure to keep an eye out for these signs and come to your own conclusions.

P.S. Hackers subscribed to our newsletter are 35.8% more likely to earn a bug bounty. Click here to sign up.