Scammers have reportedly stumbled across a new way to rug-pull Solana users’ crypto — this time, by burning tokens they already own from inside their wallets.
According to Slorg, a member of Solana-based Jupiter’s Core Working Group, scammers have started to use an in-built Solana token extension to stealthily delete their target’s crypto holdings.
“Imagine you swap for a token and the wallet history confirms that you received it. But then you look inside and nothing shows up,” said Slorg in a Sept. 3 post on X.
Source: Slorg
“Time passes and no tokens, so you do some digging and reach out to someone who might know what's going on. This was the reality for a Jupiter Community Member 4 days ago,” he added.
Permanent Delegate abusers
For this user, it turns out they swapped for a token called “RED” which has a “Permanent Delegate” extension. This allowed the scammers to burn all the tokens in the transaction a mere seven seconds after it went through.
“The Permanent Delegate is an extension feature in Solana's Token 2022 standard,” PeckShield explained to Cointelegraph.
Solana’s official website describes the Permanent Delegate extension as a function that gives “unrestricted delegate privileges over all Token Accounts for that mint, enabling them to burn or transfer tokens without limitation.”
It is intended for proper use cases, such as retrieving tokens that have been mistakenly transferred, for use in revocable access tokens or sanction compliance. It can also be used for automatic payments and refunds.
However, even Solana has noted it is a “double-edged sword” and could be abused.
Why burn a victim’s tokens?
Speaking to Cointelegraph, Slorg said there could be several reasons a scammer may want to burn the tokens.
“Reason one is causing generalized mayhem,” said Slorg. “Sometimes scammers just want to see destruction and chaos. Kind of like a mix between a prank and a ‘fuck u.’”
The second reason, said Slorg, is to reduce float.
“If someone can't sell, the price won't decrease. Many of the times scammers snipe most of the initial supply and the thing is they don't need more than $50 dollars in profit to make it worthwhile.”
“I observed a lone scammer last November who was launching token after token before pump.fun, and he was only raking in 50-100 dollars each time but spread across 50 a day, he was making thousands a week,” said Slorg, adding:
“It's probably not a super efficient strategy, but they're definitely experimenting out there.”
Blockchain security service providers Beosin and Peckshield also shared similar theories in comments to Cointelegraph.
Source: Tamara Gligorova
PeckShield speculates that scammers are trying to affect the cryptocurrency’s tokenomics, as it “basically allows for manipulating the circulating supply of the related tokens.”
Meanwhile, Beosin believes the scammer could use the function to trick users into thinking the circulation of their created token has remained the same by destroying users’ tokens.
“For example, burn someone else's tokens to raise the token price and gain profits from some DeFi protocol that is related to the token.”
Slorg noted that Jupiter and RugCheck are among two entities that have created indicators for when this extension is turned on.
“Regardless, practicing due diligence with any token is crucial. Always have a routine that you don't deviate from, and take your time to read all the text when making a swap.”
“If not, it could end up costing you someday — especially as new token capabilities are developed.”
Others have also reported being hit with a similar scam recently, noted Slorg.
Magazine: How crypto bots are ruining crypto — including auto memecoin rug pulls