If you are a DeFi investor, one of the most painful feelings in the world is to experience what is called “rug pull.” Rug pull usually means that the developer of the project abandons the project and runs away with funds.
It can happen in many ways, for example, when the developer initiates initial liquidity, pushes up the price, and then withdraws liquidity, preventing holders from exiting their positions. Another common method is to launch a website but close it after attracting hundreds of thousands of deposits.
According to Ciphertrace data, in the second half of 2020, nearly 99% of major fraud and embezzlement of funds were caused by the implementation of rug pull and the withdrawal of the scam DeFi agreement.
Famous examples of DeFi rug pull in 2020 include:
- Emerald Mine
In our investment history, we have been deceived twice, and we fully understand the feeling of hard-earned money being taken away by scammers.
In this article, we try to help you determine the direction in DeFi and potentially find signs of rug pull.
Unverified smart contract code
Smart contracts are usually open to anyone to verify, so that the public can view the functions of the code and audit any suspicious functions.
Deploying unverified code on the blockchain means that no one can view what is written in the code. Malicious actors can execute malicious code at any time and transfer the funds locked in the smart contract to other addresses without your permission.
Examples of unverified contracts
Hasty development and launch
Most legitimate projects take months to plan, promote, and launch. If you find evidence that a project is being developed and launched in a hurry, it should attract immediate attention.
For example, many Uniswap clone projects just fork the Uniswap code base and make rapid changes to the front-end interface, while leaving a lot of unfinished work. These are all signs of potential rug.
In the case of Wineswap defrauding users of $344,000, the developer did not bother to change the token name in the contract, but only used Sushiswap .
For example, many forked projects do not provide any unique advantages or features. On the contrary, they just make simple UI adjustments to popular projects and repackage themselves as a legitimate project, which makes them extremely likely to perform rug-pull .
WaveSwap, a front end similar to Pancakeswap
Fake social media activities
Social media activities can be faked through robots and automated software. These automated robots can like, repost, comment and share posts on a large scale while participating in airdrop activities.
Examples of fake social media accounts seem obvious. These accounts have almost no activity except for likes or reposts to promote posts and content.
Possible robot accounts
When approaching a DeFi agreement, check its social media accounts-Twitter, Telegram, Discord for bot activity. Are users and participants legitimate, or bots pretending to be users?
Unaudited or audited by an unknown auditing company
Since the DeFi protocol is interconnected with other parts of DeFi and may hold millions or billions of dollars in customer funds, audits play a key role in providing second opinions on the quality of smart contracts.
However, auditing is not foolproof, and many protocols have been hacked, even though they are audited by reputable companies.
The first layer of security is for a reputable audit company to audit smart contracts. In our opinion, reputable audit companies include PeckShield, Trail of Bits, Quantstamp and Slowmist.
The auditing company will review the code base of the project and discover issues that may need to be fixed based on their severity. After the audit, the audit report can be published.
Audit example to check code
Relying on auditing companies with poor reputation may bring huge risks to users’ funds, because they may reduce the quality of audits, or may not have significant experience in auditing complex smart contracts. Some projects may hire multiple auditors to audit the smart contract code to determine the trustworthiness of the agreement.
Using a third-party review platform like DeFi Safety can also help alleviate concerns about multiple factors such as code quality, team, testing procedures, security procedures, and access control.
No time lock or multi-signature
Smart contracts can usually be upgraded or have functions called by the administrator, usually the address where the contract is deployed.
These functions can include creating a new liquidity pool or changing protocol parameters such as withdrawal fees in the case of AMM.
A time lock is usually a piece of code that ranks smart contract changes after time-based escrow. It essentially locks the function of the smart contract until a pre-defined period of time has passed.
For example, if the contract has a 48-hour time lock, any changes made through the smart contract must be queued and can only be executed after 48 hours.
The time lock provides users with enough time to react to smart contract changes, and if they object to a particular change, they can withdraw funds from the agreement before the change is implemented.
Pancakeswap uses a 6-hour time lock to give users some time to react to protocol changes.
If there is no time lock, smart contract administrators or governors can immediately submit malicious transactions and destroy the entire agreement.
Some projects may use multiple signatures instead of time locks to implement changes to the agreement. In the case of multi-signature, multiple signatures are required for a transaction to be executed, and the transaction may be set to be authorized by most signers before being sent to the chain.
Many protocols use multiple signatures to control parameters. For example, Curve is the co-signer of yEarn Finance’s multi-signature governance, and it manages the minting of new YFI tokens.
If a project does not have these conditions, please be highly cautious, because the developer can fully control your deposit and withdraw or transfer them at will.
A new project can defraud you of funds in many ways, and the above methods are by no means all ways to protect your hard-earned money.
In fact, if you think something is too good to be true, or intuitively suspicious, avoid it. There is no reason to risk all your money in order to be greedy to earn a few more dollars.
DeFi can be a dangerous field because it is an unregulated field, and every step of the way there are many malicious actors trying to deceive you-from social engineering to trying to get you to hand over your mnemonics.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/%e2%80%8bhow-to-discover-the-potential-rug-pull-in-defi/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.