stub Highlights from ‘The Rug Pull Report’ by Solidus Labs -
Connect with us

Digital Assets

Highlights from ‘The Rug Pull Report’ by Solidus Labs




hacker working darkness

Solidus Labs, a blockchain monitoring platform, released its 2022 Rug Pull Report, revealing that almost two million investors have lost funds to rug pull tokens. This is comparable to the number of investors that faced unsecured losses due to the collapse of some of the biggest crypto platforms.

The firm’s Web3 AML solution scanned the source code of every new cryptocurrency deployed on an EVM blockchain since 2020, which showed 1.8 million tokens and 12 chains to date.

It found that threat actors within the cryptocurrency industry are initiating as many as 15 cryptocurrency scams an hour. It was further found that 12% of all BNB Chain tokens are scams, the highest of any blockchain, while 8% of all Ethereum tokens are programmed to execute rug pulls.

Rug pulls have been weakening havoc in the crypto sector, with 117,629 reported scam tokens created in 2022, according to Solidus Labs’ report, as of 1 December 2022. The investigation has revealed nearly twice as many were lost in 2022 to fraudsters and rug pulls.

The number of scam tokens created this year is up 41% compared to 2021, when Solidus detected almost 83,400 fraudulent tokens. And as expected, 2022 is the biggest year ever for fraudulent crypto tokens since the company started tracking them in September 2020.

Meanwhile, according to the Federal Trade Commission, consumers lost more than $1 billion between early January 2021 and March 2022 due to cryptocurrency fraud. In Q1 of the current year, the losses from crypto frauds & scams amounted to $185 million in the United States.

However, a new survey from Privacy Affairs revealed that the top five largest cryptocurrency losses, scams, and hacks in 2022, as measured by the amount of money lost or stolen ($100 million or more), totaled almost a whopping $3.5 billion.

Rug Pull Epidemic

The rug pull epidemic is sweeping through the crypto world, and many investors are losing their hard-earned money. As such, in its special report, Solidus Labs provides a comprehensive look at Rug Pulling, the most common smart contract scam.

Similar to 2021, the majority of cryptocurrency hacks and scams in 2022 were caused by attacks and other threat actors exploiting weaknesses and vulnerabilities in the DeFi protocol, exchange platforms, and blockchain bridges.

Cryptocurrency exit scams, generally speaking, are a tactic in which a cryptocurrency fraudster launches an initiative to raise funds for a cryptocurrency token/project that promises substantial returns for investors and unwitting cryptocurrency users.

Rug pulling, on the other hand, is an exit scam in which a person or a group creates a token and increases its value of it, then pulls out the entire value of the project.

In short, a rug pull is a crypto scam in which teams pump up the value of their tokens in order to lure investors and then pull away before the project is built. After the token is deployed, a rug pulls team typically builds out a pool of liquidity in a decentralized exchange (DEX), which is not operated by a centralized entity and does not require KYC checks.

Solidus Labs found that rug pull tokens are deliberately programmed for theft, with their smart contracts being capable of disabling secondary sales, charging 100% sales fees to buyers, or allowing developers to mint new tokens.

According to a study from the cryptocurrency risk monitoring and market monitoring firm, rug pulls are one of the most common scams in crypto, with more than 200,000 scam tokens deployed by fraudsters from September 2020 to December 1st, 2022.

Fraudsters are able to launder their money and seed their scams by using crypto-to-fiat exchanges. It was also found that most of these malicious tokens, which is more than 99%, have avoided detection under traditional methods of scam identification because they occur exclusively on-chain.

Moreover, the tokens aren’t detected by authorities as the scam is encoded in the token’s smart contract, traded on a decentralized exchange, and its illicit profits are denominated in crypto, not fiat currency.

Additionally, token scammers might use fraudulent marketing to reach more investors, like using bots for spamming social media or washing trade, which can be done without even registering a web domain.

Hard and Soft Rug Pulls

The blockchain monitoring firm Solidus Labs leveraged smart contract screening technology to scan millions of token contracts and flag scam vulnerabilities with unprecedented accuracy.

Diving further into rug pulls, the firm shared that there are two main types of rug pulls – hard and soft. In a hard rug pull, also known as a token scam, the scammer programs their token to steal from investors. There are seven main types of hard rug pulls; honeypots, hidden mints, fake ownership renunciations, hidden balance modifiers, hidden fee modifiers, hidden max transaction amount modifiers, and hidden transfers.

The firm detected 98,442 honeypot scams preventing buyers from re-selling their tokens. In honeypot scams, buyers aren’t allowed to sell tokens, which causes their price to increase for as long as the scammer wants, creating the appearance of a “mooning” token and thereby tricking even more users into buying it — making them by far the most popular rug pull.

The majority of honeypots have been implemented in one of four ways: liquidity pool blocks, using external contracts, blocklists, or allowlists. And according to Solidus Labs’ rug pull detection tool, there were 30,323 liquidity pool block scams, 35,424 external contracts scams, and 10,639 blocklists/allowlists scams.

Solidus says that the most prolific “honeypot” that was successfully executed this year was a $3.3 million squid game token scam (SQUID), which rose 45,000% within days when investors bought into the hype, but could not sell, ending with an anonymous founder seemingly running away with investors funds.

The firm further detected a total of 60,985 hidden mints, under which developers are free to create unlimited new tokens using a hidden function within the token’s contract. After calling this function, the scammer can dump these extra tokens on the market, devaluing the tokens held by others.

Meanwhile, an estimated 48,974 fake ownership renunciations have been conducted. With this type of scam, the scammer makes it look like they have given up control of the token contract when they really haven't. The scammer is still able to access owner-only functions within the contract, like functions that can pause trading, mint tokens, or set fees. And it goes without saying this is deceptive and can lead to people losing their money.

In hidden balance modifiers scams, one or more externally-owned accounts (EOAs), or the token contract itself, can modify token holders’ balances. There have been 8,340 such cases. As the name suggests, a hidden transfer allows developers to send tokens from other users’ addresses to themselves. Scammers have already undertaken a total of 2,026 hidden transfer scams.

Another type of scam to be aware of are hidden fee modifiers that allow token developers to change the fees collected when users buy and sell a token. Scammers can make this modification to trick users into unknowingly paying a much higher fee than what was initially agreed upon. And in some cases, users have been scammed out of 100% of the size of their transfer. To avoid being a victim of this type of scam, pay close attention to the fees associated with any token purchase or sale.

There were 823 cases of hidden fee modifiers while the least amount of scams was detected in hidden max transaction amount modifiers, where 40 scammers set maximum transaction values as low as zero.

Now, in the second type – the soft rug pull, which is also known as an exit scam, the scammer promotes their token to steal from investors. They may publish misleading marketing websites and roadmaps, announce fake partnerships, or use bots to manufacture trading activity.

Before pulling the rug, exit scammers may create a misleading marketing website, announce partnerships that don’t exist, assert untrue claims about their development team or backers, engage in wash trading to artificially inflate the token’s volume or price, give themselves token allocations well beyond what they claim to own in public, or use social media bots to spam positive sentiment about the token on platforms like Twitter, Discord, Reddit, or Telegram.

CEXs at the Center of Rug Pull Scams

Solidus Labs recently launched Solidus Threat Intelligence, a real-time threat detection tool to help Anti-Money Laundering (AML) teams and others spot smart contract scams, which has emerged as one of the biggest challenges for Decentralized Finance (DeFi) and Web3.

The fact that there are multiple cryptocurrency exchanges, crypto wallets, and even fraudulent cryptocurrencies themselves definitely does not help the case. What you need to know is that, just like in every other online industry, there are certainly some bad apples within the cryptocurrency universe.

However, this is not to say there are not extremely helpful, user-friendly, legit, safe, and secure cryptocurrency platforms and exchanges as well. Unfortunately, many people are turned off from investing in cryptocurrencies due to the risks involved with falling prey to fraud and scams.

The report revealed that almost every major crypto exchange is impacted by rug pulls, with many of those behind these scam tokens using these fraudulent tokens to finance their scam projects and to cash in on illegally earned gains.

Rug pulls have also been detrimental to centralized exchanges (CEXs) as many behind these scam tokens used them to fund their dubious project and cash out the illicitly gotten gains.

The notorious implosion of FTX has been named the biggest single loss suffered by online investors in 2022, with $10 billion lost in customer funds. But Solidus Labs found rug pulls to be harming even more investors than FTX or any single collapse in crypto to date.

It is estimated that about $11 billion in stolen Ethereum (ETH) from fraudulent tokens has passed through 153 centralized exchanges (CEXs) since September 2020, and most exchanges are overseen by U.S. regulators. After the US, the jurisdictions that oversee CeFi exchanges with the most exposure collectively are Seychelles, the Bahamas, the Netherlands, and Hong Kong.

This is despite the fact that these exchanges are legally required to take measures to prevent money laundering, which is a crime in every jurisdiction where they operate. In addition, exchanges face extra regulatory requirements in many jurisdictions related to investor protection and the prevention of market abuse.

“This hidden theft phenomenon reveals significant gaps in consumer protection, anti-money laundering, and crypto market integrity,” stated the report.

Gaurav started trading cryptocurrencies in 2017 and has fallen in love with the crypto space ever since. His interest in everything crypto turned him into a writer specializing in cryptocurrencies and blockchain. Soon he found himself working with crypto companies and media outlets. He is also a big-time Batman fan.