Author: Ada
TenArmor and GoPlus have a powerful Rugpull detection system. Recently, the two have joined forces to conduct in-depth risk analysis and case studies on the severe situation of recent Rugpulls, revealing the latest tactics and trends of Rugpull attacks, and providing effective security protection recommendations for users.
Rugpull event statistics
TenArmor's detection system detects a large number of Rugpull events every day. Looking back at the data from the past month, Rugpull events have shown an upward trend, especially on November 14, when there were as many as 31 Rugpull events that day. We believe it is necessary to expose this phenomenon to the community.
The losses from these Rugpull events mostly fall within the range of 0 - 100K, with total losses reaching 15M.
The most typical type of Rugpull in the Web3 field is the Pi Xiu scheme. GoPlus's token security detection tool can identify whether a token is part of the Pi Xiu scheme. Over the past month, GoPlus has detected a total of 5688 Pi Xiu schemes. More security-related data can be accessed on GoPlus's data dashboard in DUNE.
TL;DR
Based on the characteristics of current Rugpull events, we summarize the preventive points as follows.
1. Do not blindly follow trends. When purchasing popular cryptocurrencies, check whether the token address is legitimate to avoid falling into fraudulent traps by buying counterfeit tokens.
2. When participating in new tokens, due diligence is necessary to check if the initial flow comes from associated addresses of the contract deployers; if so, this may indicate a fraud trap, and it is advisable to avoid it.
3. Check the source code of the contract, especially be wary of the implementation of transfer/transferFrom functions to see if normal buying and selling is possible. For obfuscated source codes, it is advisable to avoid them.
4. When investing, check the distribution of holders. If there is a significant concentration of funds, try to avoid it as much as possible.
5. Check the source of funds of the contract publisher, tracing back as far as possible, looking at whether the source comes from suspicious exchanges.
6. Pay attention to the early warning information released by TenArmor to stop losses in a timely manner. TenArmor has the ability to detect such Scam Tokens in advance; follow TenArmor's X account for timely warnings.
7. The TenTrace system has accumulated information on Scam/Phishing/Exploit addresses from multiple platforms, effectively identifying the inflow and outflow of blacklisted addresses. TenArmor is dedicated to improving the security environment of the community and welcomes partners in need to discuss cooperation.
Characteristics of RugPull events
Through analyzing a large number of Rugpull events, we found that recent Rugpulls have the following characteristics.
Impersonating well-known tokens
Since November 1, TenArmor's detection system has identified 5 Rugpull events impersonating the PNUT token. According to the summary of this tweet, PNUT began operations on November 1 and soared 161 times within 7 days, successfully attracting the attention of investors. The timing of PNUT's operation and surge coincides very closely with the time scammers began impersonating PNUT. Scammers chose to impersonate PNUT to attract more unsuspecting victims.
The total amount defrauded in the Rugpull event impersonating PNUT is 103.1K. TenArmor reminds users not to blindly follow trends. When purchasing popular cryptocurrencies, check whether the token address is legitimate to avoid falling into fraudulent traps by buying counterfeit tokens.
For new token bots
The issuance of new tokens or new projects usually attracts significant market attention. When new tokens are issued for the first time, price fluctuations can be extreme, with prices sometimes varying greatly from one second to the next; thus, the pursuit of trading speed becomes a key objective for profit. Trading bots far surpass manual traders in both speed and responsiveness, making new token bots highly sought after at this time.
However, scammers have also keenly sensed the presence of numerous new token bots, setting traps for them to fall into. For example, the address 0xC757349c0787F087b4a2565Cd49318af2DE0d0d7 has initiated over 200 scam incidents since October 2024, with each incident ending within a few hours from the deployment of the trap contract to the Rugpull.
For example, in a recent scam incident initiated from this address, the scammers first used 0xCd93 to create the FLIGHT token and then created the FLIGHT/ETH trading pair.
Immediately after the trading pair was created, a large number of Banana Gun new token bots rushed in to make small exchanges. After analysis, it is not difficult to find that these new token bots are all controlled by scammers, aiming to create traffic.
About 50 small transactions were made, and after building up traffic, it attracted real investors. Most of these investors also used the Banana Gun new token bot for trading.
After a period of trading, the scammers deployed a contract used for Rugpull, and it can be seen that the funds for this contract came from address 0xC757. Just 1 hour and 42 minutes after deploying the contract, it was Rugpulled, draining the liquidity pool and profiting 27 ETH.
Analyzing the scammers' methods reveals that they first create flow by small exchanges to attract new token bots, then deploy the Rug contract, and once profits reach expectations, they execute the Rugpull. TenArmor believes that although new token bots can quickly and conveniently purchase new tokens to seize opportunities, one must also consider the presence of scammers. When participating in new tokens, due diligence is necessary to check if the initial flow comes from associated addresses of the contract deployers; if so, it should be avoided.
The source code hides secrets
Transaction tax
The following is the implementation code of the transfer function for FLIGHT. It is clear that this transfer implementation differs greatly from the standard implementation. Each transfer must decide whether to impose a tax based on current conditions. This transaction tax restricts both buying and selling, making it highly likely to be a fraudulent token.
In such cases, users only need to check the source code of the token to discover clues and avoid falling into traps.
Code obfuscation
In the latest and significant Rug Pull event review by TenArmor: How should investors and users respond? The article mentions that some scammers intentionally obfuscate the source code to make their intentions less readable. In such cases, it is advisable to avoid them immediately.
Blatantly rugApproved
Among the many Rugpull events detected by TenArmor, some are quite blatant. For example, this transaction directly indicates intent.
There is usually a time window from the deployment of the contract used for Rugpull to the actual Rugpull. For example, in this case, the time window is nearly 3 hours. To prevent this type of fraud, users can pay attention to TenArmor's X account, where we will promptly send deployment messages of such risky contracts to remind users to withdraw funds in a timely manner.
In addition, rescueEth/recoverStuckETH is also a commonly used Rugpull interface. Of course, having this interface does not necessarily mean it is a Rugpull; other characteristics need to be combined for identification.
Concentration of holders
Recently detected Rugpull events by TenArmor also show very distinctive holder distributions. We randomly selected 3 tokens involved in Rugpull events to analyze their holder distributions. The situations are as follows.
0x5b226bdc6b625910961bdaa72befa059be829dbf5d4470adabd7e3108a32cc1a
0x9841cba0af59a9622df4c0e95f68a369f32fbdf6cabc73757e7e1d2762e37115
0x8339e5ff85402f24f35ccf3b7b32221c408680421f34e1be1007c0de31b95f23
In these 3 cases, it is not difficult to find that Uniswap V2 pair is the largest holder, holding an absolute advantage in the number of tokens held. TenArmor reminds users that if they find a cryptocurrency's holders concentrated at a single address, such as in the Uniswap V2 pair, then it requires cautious trading.
Source of funds
We randomly selected 3 Rugpull events detected by TenArmor to analyze the source of funds.
Case 1
tx: 0x0f4b9eea1dd24f1230f9d388422cfccf65f45cf79807805504417c11cf12a291
Tracing back 6 hops reveals the fund inflow of FixedFloat.
FixedFloat is an automated cryptocurrency exchange that does not require user registration or KYC verification. Scammers choose to source funds from FixedFloat to hide their identities.
Case 2
tx: 0x52b6ddf2f57f2c4f0bd4cc7d3d3b4196d316d5e0a4fb749ed29e53e874e36725
Tracing back 5 hops reveals the fund inflow of MEXC 1.
On March 15, 2024, the Hong Kong Securities and Futures Commission issued a warning regarding the platform MEXC, mentioning that MEXC actively promoted its services to Hong Kong investors without obtaining a license from the commission or applying for a license. The commission has listed MEXC and its website on the warning list of suspicious virtual asset trading platforms as of March 15, 2024.
Case 3
tx: 0x8339e5ff85402f24f35ccf3b7b32221c408680421f34e1be1007c0de31b95f23
Tracing back 5 hops reveals fund inflow to Disperse.app.
Disperse.app is used to distribute ETH to different contract addresses (distribute ether or tokens to multiple addresses).
Analysis of the transaction reveals that the caller of Disperse.app is 0x511E04C8f3F88541d0D7DFB662d71790A419a039; tracing back 2 hops also shows the fund inflow to Disperse.app.
Analysis of the transaction reveals that the caller of Disperse.app is 0x97e8B942e91275E0f9a841962865cE0B889F83ac; tracing back 2 hops reveals the fund inflow to MEXC 1.
Analyzing the above 3 cases, it is evident that scammers chose exchanges without KYC or licenses for funding. TenArmor reminds users to check if the source of funds of the contract deployer comes from suspicious exchanges when investing in new tokens.
Preventive measures
Based on the data set from TenArmor and GoPlus, this article thoroughly analyzes the technical characteristics of Rugpulls and presents representative cases. In light of the above Rugpull characteristics, we summarize the corresponding preventive measures as follows.
1. Do not blindly follow trends. When purchasing popular cryptocurrencies, check whether the token address is legitimate to avoid falling into fraudulent traps by buying counterfeit tokens.
2. When participating in new tokens, due diligence is necessary to check if the initial flow comes from associated addresses of the contract deployers; if so, this may indicate a fraud trap, and it is advisable to avoid it.
3. Check the source code of the contract, especially be wary of the implementation of transfer/transferFrom functions to see if normal buying and selling is possible. For obfuscated source codes, it is advisable to avoid them.
4. When investing, check the distribution of holders. If there is a significant concentration of funds, try to avoid that cryptocurrency as much as possible.
5. Check the source of funds of the contract publisher, tracing back as far as possible, looking at whether the source comes from suspicious exchanges.
6. Pay attention to the early warning information released by TenArmor to stop losses in a timely manner. TenArmor has the ability to detect such Scam Tokens in advance, so follow TenArmor's X account for timely warnings.
The malicious addresses involved in these Rugpull events will be added to the TenTrace system in real time. The TenTrace system is an anti-money laundering system (AML) independently developed by TenArmor, suitable for multiple scenarios such as anti-money laundering, anti-fraud, and attacker identity tracking. The TenTrace system has accumulated information on Scam/Phishing/Exploit addresses from multiple platforms, effectively identifying the inflow of funds from blacklisted addresses and accurately monitoring the outflow of funds from these addresses. TenArmor is committed to improving the security environment of the community and welcomes partners in need to discuss cooperation.
About TenArmor
TenArmor is your first line of defense in the Web3 world. We provide advanced security solutions focused on addressing the unique challenges posed by blockchain technology. Through our innovative products ArgusAlert and VulcanShield, we ensure real-time protection and rapid response to potential threats. Our expert team is proficient in everything from smart contract audits to cryptocurrency tracking, making us the preferred partner for any organization seeking to protect its digital assets in the decentralized space.
Follow us @TenArmorAlert for timely updates on our latest Web3 security warnings.
Feel free to contact us:
X: @TenArmor
Mail: team@tenarmor.com
Telegram: TenArmorTeam
Medium: TenArmor
About GoPlus
GoPlus, as the first on-chain security protection network, aims to provide every user with the easiest-to-operate, comprehensive on-chain security guarantee to ensure the safety of every transaction and asset.
The security service architecture is mainly divided into the GoPlus APP (web and browser plugin products) aimed directly at end users and GoPlus Intelligence, which indirectly serves end users through B-end integration or access. It covers the widest range of Web3 user groups and various trading scenarios, aiming to build an open, user-driven on-chain security protection network:
On one hand, any project can independently provide on-chain security protection for users by integrating with GoPlus; on the other hand, GoPlus also allows developers to fully utilize their advantages to deploy innovative security products to the GoPlus security market. Users can choose and configure convenient, personalized security services, thereby building an open decentralized security ecosystem for collaboration between developers and users.
Currently, GoPlus has become the preferred security partner for Web3 builders, with its on-chain security services widely adopted and integrated by Trust Wallet, CoinMarketCap, OKX, Bybit, DexScreener, SushiSwap, and others. On average, it is called over 34 million times daily, totaling over 4 billion calls, covering more than 90% of user on-chain transactions, and its open security application platform has served over 12 million on-chain users.
Our community:
X: @GoPlusSecurity
Discord: GoPlusSecurity
Medium: GoPlusSecurity
