A comprehensive inventory of the top ten on-chain Rug Pull projects in the crypto community, mainly from the previous bull market.

A list of the top ten on-chain Rug Pull projects in the crypto community, mainly from the previous bull market.

Original author: Bankless

Translation: Zen, LianGuaiNews

If you have been deeply involved in the DeFi field for many years, you must have experienced more scams and hacks than you can imagine. This is the risk we bear when interacting on the forefront of financial technology.

Among all the traps in DeFi, Rug Pulls are often the most painful. These internal vulnerabilities, also known as exit scams, occur when insiders use the trust of users to steal their assets. They usually occur through malicious code infiltrating smart contracts, allowing developers to drain these contracts or user wallets.

• Big Brother Ma Ji Huang Licheng to Launch New Project? Overview of its Organizational Structure and Token Economics
• Token2049 Review Lack of Innovation in Projects, Institutional Focus on Regulation
• Topping the list with a 15.4% airdrop ratio, taking stock of 19 potential projects invested by Binance Labs that have not yet issued their own tokens.

This article will list the top 10 Rug Pulls projects in recent years based on the on-chain Rug Pulls leaderboard from DefiLlama.

Jay Pegs Auto Mart

Loss amount: $3.1 million

Date: September 17, 2021

Blockchain: Ethereum

Method: Malicious deposit address substitution

The front end of the Sushiswap IDO platform Miso was attacked. An anonymous contractor injected malicious code into the Miso front end, and the attacker replaced the auction wallet with their own wallet address, resulting in the theft of 864.8 ETH (about $3.07 million). The auction activity that suffered this attack was the DONA token auction of the Jay Pegs Auto Mart project. Subsequently, the SushiSwap team immediately fixed the vulnerability, and after tracking the attacker and requesting FBI intervention, all funds were quickly returned.

Dragoma

Loss amount: $3.5 million

Date: August 8, 2022

Chain: Polygon

Method: Fund embezzlement

Similar to the previously popular game STEPN, Dragoma, based on the Polygon network, is also a blockchain game that focuses on the move-to-earn concept. Players can claim dinosaur eggs for free and hatch them into NFTs after 40 days to earn rewards such as DMA tokens. On August 8, 2022, Dragoma was suspected of a Rug Pull, and the price of DMA plummeted from $1.8 to $0.002, a decrease of 99.82%. Subsequently, its official Twitter account showed “This account doesn’t exist”. It is worth mentioning that the DMA token was listed on the cryptocurrency exchange MEXC for less than 24 hours when this crash occurred.

Magnate Finance

Loss amount: $6.4 million

Date: August 25, 2023

Chain: Base

Method: Contract vulnerability

ZachXBT, an on-chain detective, issued a warning on August 25, 2023, stating that the Base ecosystem lending protocol Magnate Finance may soon experience an exit scam, and mentioned that the deployer address of Magnate Finance is directly related to the Solfire exit scam. Shortly after, the website and social media platforms of the Base ecosystem lending protocol Magnate Finance became inaccessible. Their Telegram group was also deleted. ZachXBT also stated that the deployer’s on-chain address is related to the Kokomo Finance exit scam.

According to the investigation report published by PShield, Magnate Finance conducted a Rug Pull by directly manipulating the price oracle, resulting in a loss of about $6.5 million. According to the Beosin Alert monitoring, the deployer address of Magnate Finance is related to the previous Rug Pull incidents involving Solfire and Kokomo Finance. The total amount stolen by this scammer is $16.7 million.

The new blockchain network is like the wild west of the United States, acting cautiously, adhering to audited and time-tested protocols, which can help reduce risks.

Arbix Finance

Loss Amount: $10 million

Date: January 4, 2022

Chain: BNB

Method: Contract Vulnerability

Arbix Finance, a liquidity mining protocol based on Binance Smart Chain, was once touted as a “low-risk way to maximize returns,” and Arbix profited from arbitraging user deposits. In the early morning of January 4, 2022, approximately $10 million of user funds were stolen, and the project’s social media and website were also shut down. Shortly after, the team injected $4.5 million worth of ARBX tokens into LianGuaincakeSwap, causing the price to drop from $1.42 to zero.

According to CertiK’s incident analysis, the Arbix Finance project displayed too many dangerous signals. The ARBX contract only had a mint() function for the owner, and 10 million ARBX tokens were minted to 8 addresses. CertiK also confirmed that 4.5 million ARBX tokens were minted to one address and then transferred. Another dangerous signal was the $10 million of user funds, which were directed to an unverified pool after deposit, and the hacker eventually gained full access and stole the $10 million assets.

Compounder Finance

Loss Amount: $12 million

Date: December 2, 2020

Chain: Ethereum

Method: Contract Vulnerability

Just a few months after the boom of DeFi summer, investor sentiment was high and yields were also high. Compounder Finance, developed by a group of anonymous developers, attracted the attention of some users, and it was no different from countless other protocols hoping to enter the liquidity mining craze. What was surprising was that the main culprit behind the theft of over $12 million of user funds was not hackers, but the project team itself. After completing the audit, the project team added 7 malicious strategy contracts to its codebase, constituting a very malicious DeFi exit scam incident.

The difference is that, after the audit, it added a malicious backdoor program to the contact person. This backdoor allowed the developers to steal all the user funds deposited into the protocol, worth approximately $12 million. Since then, audit practices have had to be adjusted, focusing not only on external threats but also on internal threats. After the incident, Rekt news and @vasa_develop shared the detailed process of the event.

Snowdog

Loss Amount: $18.1 million

Date: November 25, 2021

Chain: Avalanche

Method: Contract Vulnerability

Avalanche Rush brought $180 million in incentives to the ecosystem, attracting a large number of crypto enthusiasts to a new chain, and at that time, it was also the peak of the Dogecoin craze. Snowdog, a meme project on the Avalanche chain, gained a lot of attention and claimed to create a reserve currency supported by liquidity owned by the protocol.

This incident is a typical “Rug Pull”. Internal personnel of the project allegedly used the hidden “challengeKey” to sell a large amount of SDOG Token in two batches through Snowswap at around 6 am today, making a profit of $17 million, causing the SDOG price to drop 90% in half an hour. TechnoArtoria pointed out that the contract code of Snowswap had not been fully reviewed before, and only internal personnel knew about the “challengeKey” and used it to sell a huge amount of tokens.

StableMagnet

Loss amount: $27 million

Date: June 23, 2021

Chain: BNB Chain

Method: Contract vulnerability and user wallet

DeFi project StableMagnet promised high returns on stablecoins and attracted tens of millions of TVL investments before launching the “novel rug method”.

The issue is not in the project’s own smart contract, but in the underlying function library called by the smart contract. The project implanted a backdoor in the underlying function library, SwapUtils Library, so the project can directly transfer assets using the backdoor regardless of whether the smart contract code of the project itself is safe or whether there is a time lock.

After the incident, one of the victims of this event, DeFi KOL Ogle, and a community investigation team conducted a thorough investigation. The British police, who obtained the intelligence, successfully arrested members of the project team, and the assets returned by the arrested members totaled approximately $22.5 million.

LianGuaiid Network

Loss amount: $27 million

Date: March 5, 2021

Chain: Ethereum

Method: Unlimited minting and selling

The decentralized application LianGuaiid Network aims to provide a new method for conducting business through its proprietary SMART protocol, community-managed arbitration system, reputation scoring, and DeFi tools.

On March 6, 2021, Beijing time, LianGuaiID Network officially announced on Twitter that its contract had been hacked. Since LianGuaiID Network project used an upgradable storage proxy contract model, the attacker deployed a malicious logic contract with the owner permission of the LianGuaiID Network proxy contract and stole over 59 million LianGuaiID tokens.

It is understood that the vulnerability that allows the contract owner to freely mint additional tokens was discovered and pointed out by users early on. Twitter user @WARONRUGS (account deleted) had mentioned this vulnerability in a tweet.

Meerkat Finance

Loss amount: $32 million

Date: March 4, 2021

Chain: BNB Chain

Method: Contract vulnerability

DeFi project Meerkat Finance on the Binance Smart Chain earned a profit of 13 million BUSD and 73,000 BNB, approximately $31 million, after operating for one day, and then the funds were immediately taken away by the project team.

Meerkat Finance initially claimed it was a hack, but later the project team deleted their accounts.

The deployer of Meerkat Finance upgraded the project’s two vaults. The attacker’s address called the initialization function without permission through the Vault proxy, effectively allowing anyone to become the owner of the Vault. The attacker then depleted the vault by calling a function with the signature 0x70fcb0a7, which accepts a token address as input. The decompiled upgrade as a smart contract shows that the only purpose of the called function is to remove funds with the owner as the beneficiary. Since the upgrade was completed by the deployer of Meerkat Finance, considering all aspects of the on-chain data, the most likely scenario of this incident is an intentional rug pull, and the possibility of private key leakage is very small.

AnubisDAO

Loss Amount: $60 million

Date: October 29, 2021

Blockchain: Ethereum

Method: Smart Contract Vulnerability

One day after the launch of the OHM fork project AnubisDAO in Copper Launch, liquidity pools were withdrawn, suspected of exit scam, and a total of over 13,556 ETH was transferred to the address @0x9fc, worth approximately $58.3 million. Shortly after, the project’s Twitter account ceased activity.

In March of this year, the address of the AnubisDAO attacker (marked as AnubisDAO exploiter3) transferred 2,500 WETH to addresses starting with “0x0D19” and laundered 2,400 ETH (approximately $3.76 million) through Tornado Cash. In May, an EOA address (0xa570d…) related to the scam event transferred approximately 3,000 ETH (approximately $5.9 million) to Tornado Cash. 0

Summary

Behind the frustrating stolen funds data, we can also see a positive side – the majority of the funds lost incidents occurred before 2022 in the investigated events. In fact, in this top ten list, the funds lost in 2021 accounted for 84% of the total amount.

What does this teach us? Overall, audit firms have learned from painful lessons that they must adapt quickly to maintain a good reputation. In addition, members of the crypto community who have been attacked in the past can delve into the code more quickly and identify suspicious teams with higher accuracy.

After repeated Rug Pulls, the anti-fragility of DeFi has made it stronger, which means that it can thrive and grow in the face of volatility, randomness, chaos and pressure, risk and uncertainty, and eventually move in the right direction over time. Will there come a day when unknown teams no longer profit unjustly? This is certainly not very realistic. As long as it is profitable, bad actors will continue to challenge the bottom line, but the direction we are developing is definitely the right one.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!