What is a Rug Pull? DeFi Scams Explained

The rug pull is the most common crime in crypto, with more than 300,000 scam tokens created and 2 million investors defrauded. This is greater than the number of investors harmed by the collapses of FTX, Celsius, and Voyager combined.

But what is a rug pull, exactly? And how do they work?

What is a rug pull?

A rug pull is when a scammer creates a new cryptocurrency, convinces users to invest in it, and then liquidates their holdings abruptly, leaving investors with tokens worth nothing.

How do scammers pull the rug?

Crypto scammers pull the rug in one of two ways: by programming their token to steal from investors, or by promoting their token to steal from investors.

• A DeFi scam is when a scammer programs a crypto token's underlying smart contract to pull the rug out from under investors. DeFi scammers may modify their token’s smart contract to make it impossible to sell the token, to allow the scammer to mint unlimited new ones, or to charge exorbitant trading fees, for example.
• An exit scam is when a scammer aggressively promotes a token before pulling the rug out from under investors. Exit scammers may create fraudulent marketing websites, announce fake partnerships, or use bots to wash trade.

The scam that steal the most investor funds the fastest tend to be both maliciously programmed and promoted. The fraudsters behind the Squid Game token, for example, programmed the $SQUID token to include a honeypot exploit and created a marketing website and white paper to promote it. Within days of $SQUID’s release, it had netted its creators over $3 million.

DeFi scams

Solidus Threat Intelligence sorts all DeFi scams into one or more of the following exploits:

• Honeypots prevent buyers from re-selling their tokens.
• Hidden mints allow developers to create unlimited new tokens.
• Fake ownership renunciations let tokens' developers hide the fact that they can call sensitive functions.
• Hidden balance modifiers let developers edit users' balances.
• Hidden fee modifiers let developers establish sell fees as high as 100%.
• Hidden max transaction amount modifiers let developers set maximum transaction values as low as zero.
• Hidden Transfers let developers transfer tokens from users to themselves.

Below, we compare the number of rug pulls executed by exploit type.

Crypto rug pull example: The "Dictionary" DeFi Scammer

The dictionary scammer is a serial fraudster who has deployed over 9,000 scam tokens across three different blockchains – Ethereum, BNB Chain, and Polygon. We refer to them as the dictionary scammer because they use dictionary words for the variable names in their tokens’ constructor and transfer functions.

In the source code of SafeUkraineInu, for example, the dictionary scammer uses variable names like shirt, uncle, herd, and ice, which rarely appear in ERC-20 token contracts.

The source code of each token deployed by this scammer has been edited to enable two exploits at once: a honeypot and a hidden mint. This means that 1) the buyers of these tokens are blocked from reselling them, and 2) at any time, the dictionary scammer can mint any number of new tokens — even a number exceeding that token's declared maximum supply. 

The name of each token is also clearly designed to trick investors. SafeUkraineInu, for example, impersonates the legitimate donation token Ukraine Inu, and its ticker, $SUI, is identical to that of the more popular Sui token, which has the same symbol.

The dictionary scammer’s entire rug pull process is visible on the blockchain. The typical steps in this process are:

1. The scammer deploys the scam token
2. The scammer pairs either Ether (ETH) or Binance Coin (BNB) with this token in a Uniswap or PancakeSwap liquidity pool
3. The scammer waits for users to swap ETH/BNB for this token 
4. The scammer mints an absurdly large number of new tokens — often more than 100x this token’s original supply
5. The scammer swaps those tokens for ETH/BNB, draining the liquidity pool and making a 0.1 - 5 ETH profit per rug pull

Exit scams

In a crypto exit scam, a scammer creates a regular token – no programmatic exploit included – but then promotes that token fraudulently, only to abscond with investors’ funds. This can be either a fungible token (e.g. an ERC-20 token), or a non-fungible token (e.g. an ERC-721 NFT).

Prior to pulling the rug, exit scammers may hype up investor interest in a number of ways. They may:

• Create misleading marketing websites
• Announce partnerships that do not exist
• Assert untrue claims about their development team or backers
• Give themselves token allocations well beyond what they claim to own in public
• Engage in wash trading to artificially inflate their token’s price and/or volume
• Use bots to spam positive sentiment about the token on platforms like Twitter, Discord, Reddit, Signal, and Telegram

These actions represent calculated attempts to defraud investors. Criminal prosecutors have taken note.

Crypto rug pull example: The FLiK token exit scammer

When fraudsters have been caught pulling exit scams, they have been convicted of crimes like money laundering, securities and wire fraud. The Atlanta film producer Ryan Felton, for example, plead guilty to twelve counts of wire fraud, ten counts of money laundering, and two counts of securities fraud after executing two 2018 exit scams — FLiK and CoinSpark.

The U.S. Attorney’s Office of the Northern District of Georgia’s press release announcing the convictions read:

Felton falsely represented to investors that a prominent Atlanta rapper and actor was a co-owner of FLiK, the United States military had agreed to distribute the streaming platform to service members, and FLiK was finalizing licensing deals with major film and television studios. In reality, the rapper had no role in the company beyond authorizing a promotional social media post, FLiK had no military contract, and Felton never had discussions with any studio about licensing content. Felton further claimed that he was actively developing the platform and would use all funds raised in the ICO to launch FLiK. After the ICO closed, Felton dumped more than 40 million FLiK coins on trading markets, causing the value of FLiK coins to plummet.

This case shows that U.S. prosecutors are both willing and able to convict exit scammers. This may soon become true of smart contract scammers, too.

Rug pull trends for 2023

Fraudsters created over 212,000 scam tokens between September 2020 and January 1st, 2022. This includes over 83,000 scams in 2021 and 125,000 scams in 2022.

This dwarfs previous industry research that identified only 24 rug pulls in 2021 and just 262 in 2022. It also reveals that a staggeringly high percentage of Ethereum and Binance Smart Chain tokens are programmed to steal from investors. Eight percent of all Ethereum-based ERC-20 tokens are designed to pull the rug, and 12% of all Binance Smart Chain-based BEP-20 tokens are  rug pulls.

In our inaugural Rug Pull Report, we analyze crypto's rug pull problem in even more detail, using original research and case studies to explain how Solidus Labs detects and deters rug pulls at scale. Download your copy today.