CertiK Logo
CertiK Logo
Products
Company
incident-response
Back to all stories
Blogs
What Is a Rugpull? Tips on How To Avoid Them
12/17/2021

Rugpulls have turned into one of the most prolific types of scams seen throughout DeFi in 2021.

What Is a Rugpull? Tips on How To Avoid Them

Whereas DeFi hacks involve an outsider exploiting a protocol from the outside, a project can be said to have been rugpulled if the founders of a project pull the rug out from under their investors by dumping all the tokens they control on the open market and abandoning the project. It’s a betrayal of the trust their investors have in the project. 

One very common way that unscrupulous “founders” (scammers, really) pull off their rugpulls is by using the unique mechanisms of a decentralized exchange (DEX). To buy a token on a DEX, there needs to be at least one pair with sufficient liquidity for your purchase. When a project just launches, nobody but the founders own any tokens. For the token to rise in value, it needs to be bought up. So the founders will add their tokens to create a market on a DEX, for example SQUID/BNB on PancakeSwap. As their project gains attention and early investors buy up the SQUID tokens, the founders’ relative holdings of SQUID:BNB begins to shift towards the BNB side. They now own more of a real asset, and less of the ultimately worthless token they plan on rugpulling. 

With the right mix of marketing hype and eager investors, token prices can shoot up extremely quickly. The Squid token appreciated 46,559,900% in less than a week, hitting a peak of $3,100 on November 1st after launching at just $0.006. When the founders think that they’ve made enough money, they dump the rest of their tokens on the market and claim all of the “real” asset it was being traded against. This craters the price and makes it very clear to investors what has happened. They’ve been left with a worthless token, while the founders have taken off with all the BNB or ETH or AVAX people bought their token with.

Needless to say, this cripples the faith that investors have in the project and discourages them from investing in others.

As this type of scam has become more widespread, legitimate projects have adopted some mechanisms to reassure their communities that they won’t do this. One of these methods is known as a timelock. Timelocks hold tokens in smart contracts for a predetermined period of time, where they can’t be accessed or sold. This is essentially a commitment from the founders that they won’t be dumping any of their holdings at least until the timelock expires, and hopefully that they’ll stay engaged with the project until then.

There are a number of things to watch out for that may alert you to the possibility of a project being a rugpull in the making.

1. Yields Are Too High

While astronomical yields are not unheard of in crypto, they rarely last more than a day or two at best. This is most often when a project has just been launched and there is high demand for liquidity on a DEX. Usually, this yield gets eaten up very quickly. If it persists for too long, something’s suspicious.

2. Creators Remain Anonymous

While there is a strong tradition of anonymous developers in crypto (e.g. Satoshi Nakamoto) you should stop and ask yourself why the developers of a certain project are choosing to remain anonymous. Are they working in a country where the revolutionary product they’re creating may attract unwanted attention, or are they preparing for their upcoming exit scam?

3. Coin Prices Skyrocket

If the price of the token skyrockets before there have been any real developments with the overall project, it’s worth considering why this might be. In the case of the Squid Games rugpull, buyers found that they were unable to sell their tokens after purchasing them. This was called an “anti-dump mechanism” in the whitepaper, but all it did was force buyers to bear the full cost of the founders’ rugpull.

4. Extensive Marketing Tactics

If relentless marketing makes up 90% of the project’s activity on Twitter or Telegram, that’s a potential red flag. Marketing is important once you’ve got a working product to raise awareness about, but shilling a token that has no meaningful function is not marketing, it’s scamming.

5. No Liquidity Lockup

We discussed timelocks earlier. While they’re not necessarily a completely failsafe mechanism, you should ask the team behind the project you’re considering investing in why they would choose not to use one.

Once you’ve scoped out a project and determined if it exhibits any of the red flags above, what else can you do to be confident with your decision to invest?

Check liquidity

A great tool to monitor the liquidity of trading pairs on decentralized exchanges is the new Liquidity tab on the Security Leaderboard. Click on any project’s page and scroll down to the Insights section, where you will find a breakdown of a token’s liquidity metrics across PancakeSwap, Uniswap, and SushiSwap.

SHIB’s Liquidity Metrics

As you can see, one whale controls nearly a quarter of the liquidity of the SHIB/WETH pair, SHIB’s largest DEX market. This isn’t necessarily a cause for concern, but it is worth keeping an eye on if you’re a long-term SHIB holder.

Review Github, Whitepaper, and Social Media Channels 

A strong project that is actively growing should have recent commits on Github. The whitepaper should be clearly written and it should define the problem the project is aiming to solve and how it will do so. Social media channels should advertise the project truthfully – and ideally without any mention of the token’s price.

Confirm Team Credibility

Are the founders anonymous, or are they doxxed – i.e. publicly identified? Bitcoin has an anonymous founder, but this is a major strength for the original cryptocurrency that aims for true decentralization.

When you’re trusting your money to a group of people working on a product rather than to an almost-unhackable consensus algorithm, it’s safer to know exactly who those people are.

As the crypto space gains credibility, there are more and more big names throwing their hats into the arena, including pioneers of Web 2 and professors of computer science such as Avalanche’s Emin Gün Sirer and CertiK’s own founders.

Respected founders who are willing to put their reputation on the line give their project a major boost in trustworthiness.