DeFi sees $760m wiped in crypto’s most common scam — what are ‘rug pulls’?

On the fringes of decentralised finance, hacks and code exploits are common.

Investors deposit funds to unproven protocols hoping for high returns — but a small error or miscalculation in the code could allow a hacker to syphon their funds and leave them out of pocket.

But sometimes the threat doesn’t come from technical oversights but rather a protocol’s own developers, or those linked to them.

Such incidents are known in DeFi circles as “rug pulls” — a phrase that brings up visions of a solicitous host laying out a carpet for his guests, only to pull it out from under their feet once they enter his home.

Last year, rug pulls and related scams totalled up to $760 million, according to data from blockchain security firm Quantstamp.

They were also the most common type of crypto attack, according to a third-quarter report from blockchain security auditor Hacken.

In a year when bad actors stole $1.7 billion in crypto, rug pulls accounted for a significant portion of the losses.

Take a look at some of the major incidents.

BALD $6 million in July

When Coinbase’s Base blockchain was activated but not launched at the end of July, eager users piled more than $58 million onto the chain within the first 24 hours.

With few DeFi protocols and tokens deployed on Base at the time, many of these early entrants placed bets on BALD, a so-called memecoin riffing on Coinbase CEO Brain Armstrong’s coiffure — or lack of one.

Spurred on by the anonymous BALD token creator depositing millions of dollars of liquidity into its trading pool — a sign many took as evidence BALD’s creator was trustworthy — the token rose a dizzying 3,000% hours after its launch.

But the party was short-lived.

The next day, the BALD creator withdrew this liquidity, instantly crashing the token some 97% — a classic rug pull.

Analysis of onchain data shows that by pulling liquidity, the BALD creator gained approximately $6 million.

Magnate Finance $6.4 million in August

Suspected rug pulls are the most common attack vector in crypto due to one major reason — the serial nature of those ostensibly responsible.

Take the Magnate Finance incident. The protocol launched on Base in August and was briefly the blockchain’s big kahuna with $6.4 million in deposits.

Onchain records showed that the protocol was linked to the same wallets as those tied to a previous rug pull at Solfire Finance. The records were first highlighted by security researchers including ZachXBT, the pseudonymous blockchain sleuth.

Magnate Finance’s developers used their control over the protocol to “manipulate” the price oracles it relied on to correctly value the crypto assets deposited to the protocol, according to an analysis from blockchain auditing firm QuillAudits.

This let them withdraw all $6.4 million worth of user deposits, according to blockchain security firm PeckShield.

Kokomo Finance $5.5 million March

Before disappearing with $6.4 million in investor funds from Magnate Finance, the individuals using the same crypto wallet addresses had already played out a similar rug pull with another project five months earlier, according to blockchain security company Beosin.

And who were the victims?

They were investors of Kokomo Finance, a DeFi lending protocol on Ethereum layer 2 network Optimism.

Kokomo’s developers orchestrated an elaborate bait-and-switch by deploying legitimate code, then reverting to a malicious implementation after users had deposited more than $5.5 million of funds, according to QuillAudits.

The project’s website and social media profiles were deleted shortly after, a common occurrence in suspected rug-pulls.

Xirtam $3.4 million and Swaprum $3 million in May

The Xirtam and Swaprum incidents were two other suspected rug pulls in May, with $3.4 million gone in the former and $3 million removed in the latter.

DL News reported that Swaprum’s alleged rug pull was made possible due to a feature that allowed the suspected project insiders to upgrade the smart contract after it had been deployed and drain investor funds.

Only people with special access rights to a project’s smart contract can make such changes — a fact used by onchain sleuths and security researchers to determine if a fund loss incident is a likely rug-pull.

It is possible for an external actor to trick insiders into relinquishing control of the smart contract. But such an occurrence will show up in the onchain data.

When that is absent, evidence of a suspected rug-pull becomes stronger.

Two million victims

Over two million crypto investors have been affected by so-called rug pulls, according to research by crypto trade surveillance outfit Solidus Labs.

The alleged rug pullers, some of whom appear to be serial offenders, launch more of these scam projects each year, Solidus’ data shows.

They use one or a combination of up to seven attack methods to disappear with deposited funds, leaving investors in the lurch.

Sometimes, they launch so-called honeypots — projects with corrupted code that prevents investors from selling their tokens. Other times, they create backdoors in their code that allow them to mint more tokens after the fact to dump on the market.

Self-confessed rug pull

Many of these suspected rug pullers funnel the syphoned funds through crypto mixing services like Tornado Cash.

Sometimes, the law catches up.

That was the case for UAE-based French national Aurelien Michel, the man accused of abandoning the Mutant Ape Planet NFT collection he created in a self-confessed rug pull.

Aurelien, arrested in January for his part in the $2.9 million rug pull, pled guilty in November and could face up to five years in jail, plus a $1.4 million fine.

Magnate Finance, Kokomo Finance, Xirtam, and Swaprum could not be reached for comment, as web and social links have all disappeared. Coinbase did not respond to a DL News request for comment.

Osato Avan-Nomayo is our Nigeria-based DeFi correspondent. He covers DeFi and tech. To share tips or information about stories, please contact him at osato@dlnews.com.