Don't step on landmines again.
Author: Ada
TenArmor and GoPlus possess powerful Rugpull detection systems. Recently, the two have joined forces to conduct in-depth risk analysis and case studies on the serious situation of recent Rugpulls, revealing the latest methods and trends of Rugpull attacks, and providing users with effective security protection advice.
Rugpull Incident Statistics
TenArmor's detection system detects a large number of Rugpull events daily. Looking back at the data from the past month, Rugpull incidents are on the rise, especially on November 14, when the number of Rugpull events reached as high as 31. We believe it is necessary to expose this phenomenon to the community.
Most of the losses from these Rugpull events fall within the range of 0 - 100K, with cumulative losses reaching 15M.
The most typical type of Rugpull in the Web3 field is the Pixiu scheme. GoPlus's Token security detection tool can detect whether a token is a Pixiu scheme. In the past month, GoPlus detected a total of 5688 Pixiu schemes. More security-related data can be accessed through GoPlus's data dashboard on DUNE.
TL;DR
Based on the characteristics of current Rugpull events, we summarize the prevention points as follows.
1. Do not blindly follow trends; when purchasing popular tokens, check whether the token's address is the genuine one to prevent buying counterfeit tokens and falling into scam traps.
2. When participating in new token offerings, conduct due diligence to check whether the initial traffic comes from addresses associated with the contract deployer. If so, it may indicate a scam trap, and you should avoid it as much as possible.
3. Review the contract's source code, paying particular attention to the implementation of transfer/transferFrom functions to see if normal buying and selling can occur. For obfuscated source code, it should be avoided.
4. When investing, check the distribution of holders. If there is a significant concentration of funds, try to avoid.
5. Check the source of funds from the contract deployer, try to trace back 10 steps, and see if the source of funds comes from suspicious exchanges.
6. Pay attention to the early warning information released by TenArmor and stop losses in time. TenArmor has the ability to detect such Scam Tokens in advance, follow TenArmor's X account for timely warnings.
7. The TenTrace system has accumulated information on Scam/Phishing/Exploit addresses from multiple platforms, effectively identifying the inflow and outflow of funds from black addresses. TenArmor is committed to improving the community's security environment, and partners in need are welcome to discuss cooperation.
RugPull Event Characteristics
By analyzing a large number of Rugpull events, we found that recent Rugpulls have the following characteristics.
Impersonating currently popular tokens
Since November 1, TenArmor's detection system has identified 5 Rugpull events impersonating the PNUT token. According to this article’s summary, PNUT began operations on November 1 and surged 161 times within 7 days, successfully attracting investors' attention. The timing of PNUT's operation and surge aligns closely with the timing of scammers beginning to impersonate PNUT. Scammers choose to impersonate PNUT to attract more unsuspecting individuals.
The Rugpull incident impersonating PNUT amounted to a total scam value of 103.1K. TenArmor reminds users not to blindly follow trends; when purchasing popular tokens, check whether the token's address is the genuine one.
Regarding new token bots
The issuance of new tokens or projects usually attracts significant market attention. When a new token is first issued, the price fluctuates greatly, with even a second's difference potentially leading to vastly different prices, making transaction speed the key target for profit. Trading bots outperform human traders in both speed and response ability, making new token bots very popular at present.
However, scammers have also keenly noticed the existence of numerous new token bots, setting traps for them to fall into. For example, the address 0xC757349c0787F087b4a2565Cd49318af2DE0d0d7 has initiated over 200 scam incidents since October 2024, with each incident from deploying trap contracts to Rugpull completed within hours.
Taking the latest scam incident initiated from this address as an example, the scammer first created the FLIGHT token using 0xCd93, then created the FLIGHT/ETH trading pair.
After the trading pair was created, a large number of Banana Gun bot users rushed in to exchange small amounts of tokens. Upon analysis, it is not difficult to find that these bot users are controlled by scammers, aiming to create traffic.
About 50 small transactions, after creating traffic, attracted real investors. Most of these investors also used Banana Gun new token bots for trading.
After the transaction continued for some time, the scammers deployed the contract used for Rugpull. It can be seen that the funds for this contract came from address 0xC757. Just 1 hour and 42 minutes after deploying the contract, they executed the Rugpull, draining the liquidity pool and profiting 27 ETH.
Analyzing the methods of this scammer reveals that the scammer first creates traffic by small exchanges to attract bot users, then deploys the Rug contract, and once the profits reach expectations, they execute the Rug. TenArmor believes that although bot users can conveniently and quickly purchase new tokens to seize the opportunity, the existence of scammers must also be considered. When participating in new token offerings, conduct due diligence to check whether the initial traffic comes from addresses associated with the contract deployer. If so, avoid it.
The source code hides secrets
Transaction Tax
The following code is the implementation of the transfer function for FLIGHT. It is evident that this implementation differs significantly from the standard implementation. Each transfer must decide whether to impose a tax based on current conditions. This transaction tax restricts both buying and selling, likely indicating a scam token.
In such cases, users only need to check the token's source code to uncover clues and avoid falling into traps.
Code Obfuscation
In TenArmor's latest and significant Rug Pull event review: how should investors and users respond? The article mentions that some scammers deliberately obfuscate the source code to make their intentions opaque. When encountering such situations, avoid immediately.
Blatantly rugApproved
Among the numerous Rugpull events detected by TenArmor, there are many blatant ones. For example, this transaction directly indicates intent.
There is usually a time window between the deployment of contracts used for Rugpull by scammers and the actual Rugpull. For example, in this case, the time window is nearly 3 hours. To prevent this type of scam, pay attention to TenArmor's X account; we will timely send deployment messages for such risky contracts, reminding users to withdraw funds promptly.
In addition, rescueEth/recoverStuckETH is also a commonly used Rugpull interface. Of course, having this interface does not mean it is a Rugpull; other characteristics must also be combined for identification.
Holder Concentration
In the recent Rugpull events detected by TenArmor, the distribution of holders is also very characteristic. We randomly selected the holder distribution of 3 tokens involved in Rugpull events. The situation is as follows.
0x5b226bdc6b625910961bdaa72befa059be829dbf5d4470adabd7e3108a32cc1a
0x9841cba0af59a9622df4c0e95f68a369f32fbdf6cabc73757e7e1d2762e37115
0x8339e5ff85402f24f35ccf3b7b32221c408680421f34e1be1007c0de31b95f23
In these 3 cases, it is not difficult to find that Uniswap V2 pair is the largest holder, holding an absolute advantage in the amount of tokens. TenArmor reminds users that if they find a token's holders concentrated in one address, such as in the Uniswap V2 pair, then trading that token needs to be approached with caution.
Source of Funds
We randomly selected 3 Rugpull events detected by TenArmor to analyze the sources of funds.
Case 1
tx: 0x0f4b9eea1dd24f1230f9d388422cfccf65f45cf79807805504417c11cf12a291
Tracing back 6 steps reveals the capital inflow of FixedFloat.
FixedFloat is an automated cryptocurrency exchange that does not require user registration or KYC verification. Scammers choose to introduce funds from FixedFloat to hide their identities.
Case 2
tx: 0x52b6ddf2f57f2c4f0bd4cc7d3d3b4196d316d5e0a4fb749ed29e53e874e36725
Tracing back 5 steps reveals the capital inflow of MEXC 1.
On March 15, 2024, the Hong Kong Securities and Futures Commission issued a warning regarding the platform MEXC, stating that MEXC actively promotes its services to Hong Kong investors but has not obtained a license from the Securities and Futures Commission or applied for a license. The Commission has listed MEXC and its website on the warning list of suspicious virtual asset trading platforms as of March 15, 2024.
Case 3
tx: 0x8339e5ff85402f24f35ccf3b7b32221c408680421f34e1be1007c0de31b95f23
Tracing back 5 steps reveals the capital inflow of Disperse.app.
Disperse.app is used to distribute ETH to different contract addresses (distribute ether or tokens to multiple addresses).
Analyzing the transaction reveals that the caller of Disperse.app is 0x511E04C8f3F88541d0D7DFB662d71790A419a039, tracing back 2 steps also finds the capital inflow of Disperse.app.
Analyzing the transaction reveals that the caller of Disperse.app is 0x97e8B942e91275E0f9a841962865cE0B889F83ac, tracing back 2 steps finds the capital inflow of MEXC 1.
Analyzing the above 3 cases, the scammers chose to deposit funds into exchanges without KYC and licenses. TenArmor reminds users to check whether the source of funds from the contract deployer comes from suspicious exchanges when investing in new tokens.
Preventive Measures
Based on the data collected from TenArmor and GoPlus, this article comprehensively organizes the technical characteristics of Rugpull and showcases representative cases. Regarding the above Rugpull characteristics, we summarize the corresponding preventive measures as follows.
1. Do not blindly follow trends; when purchasing popular tokens, check whether the token's address is the genuine one to prevent buying counterfeit tokens and falling into scam traps.
2. When participating in new token offerings, conduct due diligence to check whether the initial traffic comes from addresses associated with the contract deployer. If so, it may indicate a scam trap, and you should avoid it as much as possible.
3. Review the contract's source code, paying particular attention to the implementation of transfer/transferFrom functions to see if normal buying and selling can occur. For obfuscated source code, it should be avoided.
4. When investing, check the distribution of holders. If there is a significant concentration of funds, try to avoid selecting that token.
5. Check the source of funds from the contract deployer, try to trace back 10 steps, and see if the source of funds comes from suspicious exchanges.
6. Pay attention to the early warning information released by TenArmor and stop losses in time. TenArmor has the ability to detect such Scam Tokens in advance, follow TenArmor's X account for timely warnings.
The malicious addresses involved in these Rugpull events will be entered in real-time into the TenTrace system. The TenTrace system is independently developed by TenArmor for anti-money laundering (AML) and is applicable to anti-money laundering, anti-fraud, attacker identity tracking, and other scenarios. The system has accumulated information on Scam/Phishing/Exploit addresses from multiple platforms, effectively identifying the inflow of funds from black addresses and accurately monitoring the outflow of funds from black addresses. TenArmor is committed to improving the community's security environment, and partners in need are welcome to discuss cooperation.
About TenArmor
TenArmor is your first line of defense in the Web3 world. We provide advanced security solutions focused on addressing the unique challenges posed by blockchain technology. Through our innovative products ArgusAlert and VulcanShield, we ensure real-time protection and rapid response to potential threats. Our expert team is proficient in everything from smart contract auditing to cryptocurrency tracking, becoming the preferred partner for any organization looking to protect its digital assets in the decentralized space.
Follow us @TenArmorAlert for timely updates on our latest Web3 security warnings.
Welcome to contact us:
X: @TenArmor
Mail: team@tenarmor.com
Telegram: TenArmorTeam
Medium: TenArmor
About GoPlus
GoPlus, as the first on-chain security protection network, aims to provide every user with the easiest-to-use and comprehensive on-chain security guarantee to ensure the safety of every transaction and asset.
The security service architecture is mainly divided into the GoPlus APP (web and browser plugin products) directly targeting end-users and GoPlus Intelligence, which indirectly serves end-users (through B-end integration or access). It has covered the broadest Web3 user base and various trading scenarios, aiming to build an open, user-driven on-chain security protection network:
On one hand, any project can independently provide on-chain security protection for users by integrating with GoPlus. On the other hand, GoPlus also allows developers to fully utilize their advantages to deploy innovative security products in the GoPlus security market, enabling users to independently select and configure convenient, personalized security services, thus building an open decentralized security ecosystem of collaboration between developers and users.
Currently, GoPlus has become the preferred security partner for Web3 builders, with its on-chain security services widely adopted and integrated by Trust Wallet, CoinMarketCap, OKX, Bybit, DexScreener, SushiSwap, etc. It averages over 34 million daily calls and has been called over 4 billion times, covering over 90% of user transactions on the chain, with its open security application platform serving more than 12 million on-chain users.
Our Community:
X: @GoPlusSecurity
Discord: GoPlusSecurity
Medium: GoPlusSecurity