February 22, 2022 - A rug pull is an event in which the project or token owner or developer abruptly exits or abandons the project/token leaving the investors of the project/token holding the bag. Analysis of tokens that have been rugged highlights a common pattern - they all lost 99%+ of their value within eight hours of the event.

Why does project/token owner commit rug pulls? Most are driven by greed as it is easier to get the money since they control the access to the developer funds. Conversely, developing a Web3 product or service requires talent, commitment, and hard work. Rug pulls are orchestrated by individuals that lack some or all of these attributes. In some isolated circumstances, rug pulls may also be committed by developers out of sheer disillusion or frustration with the space, as highlighted by the case of WarOnRugs project.

How do they steal the investors funds? Generally, there are several common patterns to look for:

1. If the project requires newly minted tokens, the developer initially creates a liquidity pool for that tokens against a highly liquid mainstream tokens like Ether (ETH) or Binance Coin (BNB) (especially if the token is ERC-20/BSC-20 type) by staking the developer's own ETH/BNB tokens in the pool. The investors can then acquire the new tokens by exchanging their ETH/BNB. The buy action will gradually increase the value of the new tokens, and the backed ETH/BNB liquidity balance will also grow. When the rug pull is executed, the developer pulls the ETH/BNB balance from the pool, leaving behind just the tokens with little to zero backing, causing an immediate collapse in the price of the tokens.
   

2. The developer may setup the smart contract such that only certain addresses (e.g., whitelisted addresses) are able to sell and everyone else is limited to buy. This action ensures that the tokens will only have one initial trajectory and that is to increase the token value. On rare situations, this action is pre-announced, but most cases, the disabling of sell action is hidden in complex code. Blockchain forensic experts may flag these projects or tokens as honeypots -- where funds flow in but cannot come out.
   

3. Through the developer's own action or those of other perpetrators, the project/token is subjected to a significant hype in the various public forums (Youtube, Twitter, Telegram, etc.) with the goal of introducing FOMO to bring in more investors and rapidly accelerate the price action of the tokens. This is intended so that the developer and his gang (e.g., promoters) can sell their shares of the tokens which may either be self-granted or self-purchased early in the project to take advantage of the increased value. This action may be done all at the same time or gradually to limit detection.
   

4. Other actions that may warrant a deep dive into the project/token includes indicators that the developer can mint unlimited number of tokens and to grant that to any addresses. The indicator becomes even more troublesome when such addresses are whitelisted by the developer. Conversely, another troubling indicator is that the developer can also blacklist addresses, or disable the ability for such addresses to remove the tokens. Changes in ownership from one owner address to another should raise some concerns. In some cases the rotation of owner acts as obfuscation for the rug pull to be claimed as 'a hack'.

How can one confirm that a rug pull has taken place?

1. The collapse of the project token is one key indicator. This can be judged by its 15-minute price action where its value may collapse by over 90%.

2. The confirmation of transactions in the smart contract of the removal of liquidity and subsequent liquidation via CoinJoin or Tornado Cash. This typically requires blockchain forensics of movements of the funds using onchain data.

3. The disappearance of social media links such as Twitter, Telegram, Medium, and Youtube handles

Let's get into the fun part of the analysis. We pulled data from our hackandscam database specific to rug pulls dated between 2021 and 2022. We applied several machine learning algorithms to evaluate the data set. Specifically, we look to identify the key attributes that are most likely identify a pending rug pull. Here are what we found:

1. Anonymity of the development team

2. Distribution of the rug pulls by age of the project/token

3. Platform where the rug pull was based

4. Ownership of tokens

5. Lack of security audits

Let's dive into the details of some of our key findings.

1. In all cases, rugged projects have teams that are fully anonymous. In other words, we were not able to confirm any verifiable attribution to specific named individual. The lack of transparency seems to be an indicator for the potential malicious action. Accordingly, investors should weigh the need for transparency of the project developers against the risk of a rug pull.

2. We measure the age of project/token using several metrics, one of which is deployer date. In case of rug pulls that may not involved smart contract we utilize other information such as social links and website registration information. Our analysis indicated that 13% of the rug pulls takes place within a day, and another 54% takes place within 50 days. Rug pulls after 350 days account for less 8% of the incidents reviewed. Don't FOMO, it is safer to invest into projects that are at least a year old.

3. Binance Smart Chain accounts for the majority of the rug pulls. Do we need to say any more than that!

4. Interestingly, we observed only two cases from our data set where the smart contracts were audited by third-parties. In one scenario, the library of the contract was not audited, and the scammer placed the rug pull code there and, therefore, was able to escape detection. In the second case, the scammer took advantage of the ongoing auditing process and rugged the project before auditors were able to release the outcomes. In other words, the auditors have indicators of the pending rug pull in the code, but provided the opportunities for the scammer to respond and perform code updates, and that costs the investor dearly!

Rug pulls are inevitable negative consequence of decentralized projects. Investors should always do their own due diligence including cross-checking information across multiple data sources before committing initial investments. Smart contracts should be audited by reputable parties. Resist FOMO as that can be the investors' worst enemy! Perhaps it may be best to prevent or limit investments to smaller commitments into projects sponsored on Binance Smart Chain as there is just some not right there.