Rugpulls are notorious for being the bane of any new crypto investor trying to make it big. CertiK's data shows that the attack remains the most popular hack for scammers, with $6.3 million in crypto assets exfiltrated in April alone.
Honest and worthwhile projects will go to great lengths to reassure their users that they are not rugpulls by soliciting smart contract audits, implementing practices such as timelocks, and having transparency about their team. However, both novices and seasoned pros continue to get caught out by the bad faith projects.
Alongside security tools that promote accountability and transparency such as smart contract audits and CertiK KYC, strong De-Fi security is built on a well-educated user base. To that end, this article will take you through the two main kinds of rugpulls: the soft and the hard, with the aim for better equipping our readers for navigating the exciting yet fraught world of crypto security.
What is a Rugpull?
A rugpull describes when a (malicious) team drains a project of its funds after luring users to invest through marketing and hype building. Information abounds on how to spot rugpulls : including looking out for anonymous creators, no liquidity lock-ups, astronomical yields, and a suspicious lack of any smart contract audit. The vast majority of rugpulls occur on decentralized exchanges, as these platforms allow projects to issue tokens for free, and without any code auditing such as a smart contract audit.
What you may not know is that there are different kinds of rugpulls. Read on to find out more.
Hard Rugpull
A hard rugpull is likely what you are most familiar with. It occurs when a project's team suddenly withdraws the funds from a project after garnering a significant amount of investment from their community.
Often, a hard rugpull will be executed through the use of a malicious backdoor coded into the project from its inception. Once the price of a project's token has reached a level that the team is happy with, they will execute the rugpull and exit through the backdoor. The clearest sign of a hard rugpull is a price charts that suddenly drops off a cliff. However, by that point, there is nothing investors can do but count their losses. Other clear indicators of a rugpull are the deletion of official channels of communication such as a website, or Twitter and Telegram channels.
Perhaps what hurts most about falling prey to these rugpulls is that such malicious backdoors could easily have been spotted in a smart contract audit. That's why we strongly urge anyone looking to buy tokens in any blockchain based project to do their due diligence and investigate the project thoroughly. If it hasn't had a smart contract audit and Certik KYC verification, proceed with extreme caution!
Since the emergence of De-Fi, the most common hard rugpull by far is liquidity stealing. Liquidity stealing takes advantage of the ability to stake a cryptocurrency in a liquidity pool on a decentralized exchange. First, founders will list their new token in a pair with an established token such as ETH. Then, they will hype the token and attract investment into the liquidity pool to drive the price up. After enough positive price action, founders will then dump their token supply onto the market and claim all the real assets it was traded with, leaving behind a worthless token. With the price of the token in freefall, it becomes apparent that the project has been rugpulled, and investors are left with nothing but their head in their hands.
A third, malicious way that projects conduct rugpulls is by coding in limitation of a user's ability to sell their tokens. By locking users into the project in this way, they are essentially held captive by the project's founders until they see fit to dump the tokens and depart. The notorious SQUID token rugpull is a classic example of this kind of scam. In the SQUID rugpull, founders were able to drive the price of their token up to over 75,000%, before dumping the token at a high of just over $2,860. Again, a smart contract audit would have helped here. By thoroughly investigating the code line by line, smart contract audits reveal any underhand tricks designed to defraud investors.
Soft Rugpull
In contrast to a hard rugpull, a soft rugpull is a less noisy, more subtle way for founders to scam their community. In a soft rugpull, rather than dumping all of the tokens in the project, founders will simply dump only their tokens whilst maintaining a front to their community that they are still invested in and are supporting the project.
Soft rugpulls are at once easy to do, and difficult to detect. They require no complicated coding to execute and, without transparency around the project's founders, it is extremely difficult for users and investors to know what is going on. It's simple really, founders just up and (quietly) leave a project, leaving their communities waiting around anticipating big promises and developments that will never come. Frustratingly, whilst deeply malevolent, a soft rugpull is technically not illegal in the open shut way that a hard rugpull is as the project is technically still ongoing.
For an example, take the once leading yield farm Polywhale Finance. Polywhale's price plummeted after its team abandoned the project, however not before they withdrew over $1million in tokens.
Frustratingly, no smart contract audit can help detect a soft rugpull as it is a bad faith decision on the part of the founders that is not revealed in the code. Whilst a more comprehensive audit that provides KYC checks on the project's team would go some way to helping users choose the right projects to invest in and hold bad founders more accountable, even with such checks there can be no guarantee that founders would stay loyal to their projects. Because of this, it is important that users check for signs that a project is the real deal by looking for genuine development in the project over time.
Lastly, as is often the case with blockchain projects, points of increased centralization in a project's structure, both organizationally and technologically, are often used as opportunities for attack, and this is true whether the attacker comes from the inside of a project or the outside. This is key for investors to keep in mind when researching a project; centralization does not mean that a project is a rugpull, but if and when a rugpull happens, you can bet it will be done so through a centralized means. This is true for hard forks, where privileged access to malicious smart contracts provides a back door, and it is true for soft forks where the concentration of power and tokens in founders' hands allows them to profit by abandoning their investment.
At CertiK, we track a lot of different hacks, but one thing that stays constant is rugpulls. It will always be the downside of any technology as revolutionary as blockchain, that with all the genuine development you get scams and fraudulent behavior. With so many projects haranguing you to back them, it can be hard to cut through the noise and tell the good from the bad. This is why smart contract audits, as well as KYC services, are so vital for blockchain security.
