are a thorn in the side of risk-taking investors eager to get in early on the hottest projects before they go big. This type of scam is proliferating these days due to the deafening hype around decentralized finance (DeFi)
, non-fungible tokens (NFTs)
, various metaverses
and the promise of riches.
This is exacerbated by the crypto industry’s lack of regulation, sometimes misplaced faith in anonymous
teams and the general demographic of crypto users, which consists mostly of millennials and Gen Zs with excess funds, little fundamental understanding of crypto and often lacking real drive or incentive to learn the technical intricacies of blockchain technology. This is not a description of every crypto investor, but it does describe many of them!
CipherTrace has reported
that DeFi hacks reached a whopping $361 million from January to July 2021, nearly a three-fold increase from 2020 data (and accounting for nearly 77% of all crypto-related hacks).
However, a rug pull doesn’t require a bad actor to hack a protocol or anything. In fact, they simply need to pull the proverbial rug from under investors that they’ve lured in with promises of lucrative returns and disappear with their funds quickly.
If you want to dabble in crypto, especially DeFi, it is extremely important that you learn how to spot a rug pull, because once your funds are stolen, it’s almost impossible to recover them. And unlike some centralized exchanges
, most DeFi platforms do not offer insurance for losses.
Join us in showcasing the cryptocurrency revolution, one newsletter at a time. Subscribe now to get daily news and market updates right to your inbox, along with our millions of other subscribers (that’s right, millions love us!) — what are you waiting for?
A rug pull is primarily a specific type of DeFi exit scam where malicious project teams “pull out” the liquidity of their tokens and disappear with investors’ money.
A rug pull may also refer to exit scams in other blockchain sectors, like NFTs. In these cases, project founders disappear sometime after investors mint their NFTs.
In a rug pull, the scammers first generate a token and create some hype around it through marketing tactics, mostly via Twitter and Telegram. They then list it on a decentralized exchange (DEX)
, usually paired with another popular token like ETH
. At this stage, they are likely to inject substantial liquidity into their pool and ramp up marketing efforts in order to attract significant exit liquidity from buyers.
This is the time when unsuspecting investors buy their tokens in hopes of making crazy gains. Once the scammers are satisfied with the number of tokens bought, they will drain the pool’s liquidity (usually ETH, BNB or SOL
) and leave only their worthless scam tokens. In many cases, investors will also be incentivized to deposit liquidity into the token’s pool, which requires buying the token pair.
This is generally how a rug pull is executed in DeFi, albeit with a few variations and extra steps.
For example, let’s say you bought the hypothetical RUG token from UniSwap. Instead of just holding on to your RUG, you want to take advantage of their 1,000% APY by becoming a liquidity provider for the RUG-ETH pool. You then buy an equal amount of ETH, pair it with your RUG, and deposit them both in the pool to earn yield
. When the rug is pulled, you lose not only your ETH, but also the ETH you used to buy RUG, which will be rendered worthless.
NFT Rug Pulls
In the non-fungible token (NFT) space, it’s even harder to determine a potential rug since several projects like Bored Ape Yacht Club
have launched with pseudonymous founders, yet turned out to be successful. However, careful due diligence can still go a long way to prevent being hoodwinked.
Liquidity Has No Time Lock
A time lock
on a token pool’s liquidity is the most surefire way for teams to build public trust in their project, as it eliminates the possibility of them making away with investor funds. Note that most of the liquidity needs to be locked (preferably 95-100%)
with a long time horizon. Unfortunately, determining whether liquidity is locked may be too technical for the average crypto joe.
Your best bet is to ask the developer team in the Discord or Telegram group to provide proof of locked liquidity.
If they can do so, then that’s a good sign — but don’t take anything at face value. If you know someone who has relevant DeFi
development experience, ask them to help you verify if a project’s liquidity is locked.
Anonymous or Fake Founders
Anonymity gives malicious developers a shield that protects them from accountability, which provides a lot of opportunities to pull off a rug. While Bitcoin’s founder may have been anonymous, Satoshi
never asked anyone to buy Bitcoin, only to mine it. In DeFi, projects ask you to put your hard-earned money in their hands, which makes it extremely important that their real identities are attached to the project.
You need to check the founders’ social media accounts
to determine whether their identities are verified and that their records are not fabricated. Some teams are clever in hiding their anonymity by creating fake LinkedIn or Twitter profiles, which requires you to determine how solid and reliable their information is. If they have little to no interactions relative to their followers/connections, that’s already a bad sign. Moreover, if their follower count is extremely low, then that could also be a red flag.
Anonymous founders are even more prevalent in the NFT space
, where they can raise several million dollars worth of crypto with nothing but a picture of an ape (or other animals) and a haphazard Discord group setup. In this case, you’re either going to have to take a bigger gamble or use other metrics to spot a potential rug pull.
Unrealistic Projected Returns on Investment
If something is too good to be true, chances are it is. Scam DeFi projects more often than not claim to offer high rewards, ranging from 500% to 5,000% APY, since they need high liquidity to run their operation. Your common sense will come in handy in determining ROI figures that are unsustainable.
A genuine crypto project must have its smart contracts audited by an independent security firm, preferably before they list their token or allow investors to gain exposure. Other projects may deviously postpone the auditing process, but put it somewhere in the roadmap to give investors unwarranted confidence. An unaudited smart contract could hide bugs that allow the founders, or someone else, to steal user funds through a backdoor.
Furthermore, investors should check the audit report themselves. Some projects just indicate that they’ve been audited, which can delude investors. For all you know, an audit report might reveal the con artist’s planned exit route if you look closely.
Unfortunately, smart contract auditing is expensive enough that many projects, including legitimate ones, can’t afford it. In such a case, you can alternatively check independent auditing websites like Token Sniffer
that may have made their own free audit of the project available.
Lack of Effort or Innovation
Scam projects are not built to last; hence, founders don’t put a lot of effort into them. The most obvious sign is a low-quality website. In fact, some of them may only put up a “launching soon” page. This also applies to scam whitepapers, which are usually ambiguous, highlight several buzz words like DeFi, blockchain, metaverse or GameFi
, as well as copy-paste descriptions from other projects. If a protocol’s whitepaper or docs page doesn’t make sense, you should rethink its legitimacy.
Moreover, if a project is merely a clone of another or doesn’t bring anything new or innovative to the space, that’s a red flag. At best, you’re putting your hard-earned money into a low-quality project. At worst, you’re going to get exit scammed.
Funds Concentrated Among Handful of Holders
If large amounts of tokens are in the hands of a few holders, chances are that they are team wallets disguised as regular holders. This allows them to easily manipulate the price at the expense of innocent investors. Note that developers don’t need to completely drain a pool’s funds to perform a successful rug pull.
For example, if a couple of hands control 60% of the supply, they could easily sell them in one sitting and crash the token price.
To avoid this, you need to check the coin’s blockchain explorer on Etherscan
to find its token distribution. As a rule of thumb, a non-team wallet should not hold more than 5% of the token supply unless locked.
A stealth mint is when an NFT project flies under the radar until the mint is launched, which makes it so much easier to create FOMO
in a short period. While it has some advantages, too many malicious developers have used it as an avenue for rugging. To be safe, avoid projects that use this approach.
Now that we have shed light on the steps needed to avoid falling prey to crypto scams, it is important to note these don't totally guarantee the safety of your funds. As the technology evolves, there will always be surprises, with hackers uncovering newer and more sophisticated ways to steal crypto funds.
Moreover, these measures aren’t as effective in isolation. For instance, if you are able to verify that the team wallets are locked, but fail to identify that more than half of the token supply is in the hands of an unlocked external wallet, they can still rug you. The same is true with haphazard background checks. You need to do your due diligence religiously or not invest at all.
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators.
This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice.
The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap.
CoinMarketCap is not responsible for the success or authenticity of any project, we aim to act as a neutral informational resource for end-users.