The Rugpull Routine Behind the Loss of $15 Million: Don’t Step on the Landmine Again!

Original author: Ada

TenArmor and GoPlus have powerful Rugpull detection systems. Recently, the two have joined forces to conduct in-depth risk analysis and case studies on the recent serious Rugpull situation, revealing the latest methods and trends of Rugpull attacks and providing users with effective security protection suggestions.

Rugpull event statistics

TenArmor's detection system detects a large number of Rugpull events every day. Looking back at the data from the past month, Rugpull events have been on an upward trend, especially on November 14, when there were as many as 31 Rugpull events. We believe it is necessary to disclose this phenomenon to the community.

The loss amounts of these Rugpull incidents mostly fall in the range of 0-100K, with a cumulative loss of 15M.

The most typical Rugpull type in the Web3 field is the Pixiu disk. GoPlus's Token Security Detection Tool can detect whether a token is a Pixiu disk. In the past month, GoPlus has detected a total of 5,688 Pixiu disks. For more security-related data, visit GoPlus's data dashboard in DUNE.

TL;DR

Based on the characteristics of the current Rugpull incident, we summarize the key points of prevention as follows.

1. Don’t blindly follow the trend. When buying popular currencies, check whether the address of the currency is the real address. Avoid buying fake currencies and falling into fraud traps.

2. When buying new products, you should do due diligence to see if the early traffic comes from the associated address of the contract deployer. If so, it means that this may be a scam trap and should be avoided as much as possible.

3. Check the source code of the contract, especially the implementation of the transfer/transferFrom function to see if it can be bought and sold normally. If the source code is obfuscated, you need to avoid it.

4. When investing, check the distribution of Holders. If there is an obvious concentration of funds, avoid it as much as possible.

5. Check the source of funds of the contract issuer, trace back 10 hops as far as possible, and check whether the source of funds of the contract issuer comes from a suspicious exchange.

6. Pay attention to the warning information released by TenArmor and stop losses in time. TenArmor has the ability to detect such Scam Tokens in advance. Pay attention to TenArmor's X account to obtain timely warnings.

7. The TenTrace system has currently accumulated address database information of Scam/Phishing/Exploit on multiple platforms, which can effectively identify the inflow and outflow of funds from black addresses. TenArmor is committed to improving the security environment of the community, and welcomes partners with needs to discuss cooperation.

RugPull Event Features

By analyzing a large number of Rugpull events, we found that recent Rugpull events have the following characteristics.

Impersonating a well-known coin

Since November 1, TenArmor detection system has detected 5 Rugpull events impersonating PNUT token. According to this tweet, PNUT started operating on November 1 and soared 161 times in 7 days, successfully attracting investors' attention. The time when PNUT started operating and soared is very consistent with the time when scammers started impersonating PNUT. Scammers choose to impersonate PNUT to attract more people who are unaware of the truth.

The total amount of fraud in the Rugpull incident, which pretended to be PNUT, was 103.1K. TenArmor reminds users not to blindly follow the trend. When buying popular currencies, check whether the address of the currency is the real address.

Targeting new IPO robots

The issuance of new coins or new projects usually attracts great attention from the market. When a new coin is first issued, the price fluctuates greatly, and even the price of the previous second and the next second will be far apart. Pursuing transaction speed becomes the key goal of profit. Trading robots are far superior to manual traders in terms of speed and responsiveness, so new coin robots are very popular at present.

However, scammers are also keenly aware of the existence of a large number of new coin robots, so they set traps and wait for the new coin robots to take the bait. For example, the address 0xC757349c0787F087b4a2565Cd49318af2DE0d0d7 has launched more than 200 fraud incidents since October 2024, and each incident ended within a few hours from the deployment of the trap contract to Rugpull.

Taking a recent scam initiated by this address as an example, the scammer first used 0xCd93 to create the FLIGHT token, and then created the FLIGHT/ETH trading pair.

After the trading pair was created, a large number of Banana Gun IPO robots immediately rushed in to exchange tokens in small amounts. After analysis, it is not difficult to find that these IPO bots are controlled by scammers in order to create traffic.

After about 50 small transactions, the traffic was built up and real investors were attracted. Most of these investors also used the Banana Gun IPO robot to trade.

After the transaction lasted for a while, the scammer deployed a contract for Rugpull, and it can be seen that the funds of this contract came from the address 0xC757. After the contract was deployed, only 1 hour and 42 minutes later, Rugpull emptied the liquidity pool at one time and made a profit of 27 ETH.

Analyzing the scammer's tactics, it is not difficult to find that the scammer first creates traffic through small-amount exchanges to attract new coin robots, and then deploys Rug's contracts. When the revenue reaches the expected level, Rug is used. TenArmor believes that although new coin robots can purchase new coins conveniently and quickly and seize the opportunity, the existence of scammers should also be considered. When purchasing new coins, due diligence should be done to see whether the early traffic comes from the associated address of the contract deployer. If so, bypass it.

The source code hides secrets

Transaction tax

The following figure is the code for the transfer function of FLIGHT. It can be clearly seen that there is a huge difference between this transfer implementation and the standard implementation. Each transfer must be determined based on the current conditions to decide whether to collect taxes. This transaction tax restricts both buying and selling, which is likely to be a scam currency.

In a case like this, users only need to check the source code of the token to find clues and avoid falling into the trap.

Code Obfuscation

In the article TenArmor's Latest and Major Rug Pull Incident Review: How Investors and Users Should Respond, it is mentioned that some scammers deliberately obfuscate the source code to make it less readable in order to prevent users from understanding their intentions. If you encounter such a situation, avoid it immediately.

blatant rugApproved

Among the many Rugpull incidents detected by TenArmor, there are some that are quite blatant. For example, this transaction is a direct statement of intent.

There is usually a time window from when the scammer deploys the contract for Rugpull to when the real Rugpull is created. For example, the time window in this case is close to 3 hours. To prevent this type of scam, you can follow TenArmor's X account. We will send deployment messages of such risky contracts in a timely manner to remind users to withdraw their funds in a timely manner.

In addition, rescueEth/recoverStuckETH is also a commonly used Rugpull interface. Of course, the presence of this interface does not mean that it is really a Rugpull, and other features must be combined to identify it.

Holder Concentration

In the recent Rugpull events detected by TenArmor, the holder distribution is also very distinctive. We randomly selected the holder distribution of tokens involved in three Rugpull events. The situation is as follows.

0x5b226bdc6b625910961bdaa72befa059be829dbf5d4470adabd7e3108a32cc1a

0x9841cba0af59a9622df4c0e95f68a369f32fbdf6cabc73757e7e1d2762e37115

0x8339e5ff85402f24f35ccf3b7b32221c408680421f34e1be1007c0de31b95f23

In these three cases, it is not difficult to find that Uniswap V2 pair is the largest holder, with an absolute advantage in the number of coins held. TenArmor reminds users that if it is found that the holders of a currency are concentrated in a certain address, such as Uniswap V2 pair, then this currency needs to be traded with caution.

Funding

We randomly selected 3 Rugpull events detected by TenArmor to analyze the source of funds.

Case 1

tx: 0x0f4b9eea1dd24f1230f9d388422cfccf65f45cf79807805504417c11cf12a291

Tracing forward 6 jumps, we find the inflow of funds into FixedFloat.

FixedFloat is an automated cryptocurrency exchange that does not require user registration or KYC verification. Scammers chose to introduce funds from FixedFloat to hide their identities.

Case 2

tx: 0x52b6ddf2f57f2c4f0bd4cc7d3d3b4196d316d5e0a4fb749ed29e53e874e36725

Tracing back 5 hops, we find the capital inflow into MEXC 1.

On March 15, 2024, the Hong Kong Securities and Futures Commission issued a warning about the platform MEXC. The article mentioned that MEXC actively promoted its services to Hong Kong investors, but it did not obtain a license from the Securities and Futures Commission or apply for a license from the Securities and Futures Commission. The Securities and Futures Commission has included MEXC and its website in the warning list of suspicious virtual asset trading platforms on March 15, 2024.

Case 3

tx: 0x8339e5ff85402f24f35ccf3b7b32221c408680421f34e1be1007c0de31b95f23

Going 5 jumps forward, we found the funds inflow of Disperse.app.

Disperse.app is used to distribute ETH to different contract addresses (distribute ether or tokens to multiple addresses).

After analyzing the transaction, we found that the caller of Disperse.app was 0x511E04C8f3F88541d0D7DFB662d71790A419a039. Going back 2 jumps, we found that funds flowed into Disperse.app.

After analyzing the transaction, we found that the caller of Disperse.app was 0x97e8B942e91275E0f9a841962865cE0B889F83ac. Going back 2 jumps, we found the inflow of funds from MEXC 1.

Analyzing the above three cases, the scammers chose to deposit funds from exchanges without KYC and licenses. TenArmor reminds users that when investing in new coins, they should check whether the source of funds of the contract deployer comes from suspicious exchanges.

Precautions

Based on the TenArmor and GoPlus data sets, this article comprehensively reviews the technical features of Rugpull and presents representative cases. In view of the above Rugpull features, we summarize the corresponding preventive measures as follows.

1. Don’t blindly follow the trend. When buying popular currencies, check whether the address of the currency is the real address. Avoid buying fake currencies and falling into fraud traps.

2. When buying new products, you should do due diligence to see if the early traffic comes from the associated address of the contract deployer. If so, it means this may be a scam trap and should be avoided as much as possible.

3. Check the source code of the contract, especially the implementation of the transfer/transferFrom function, to see if it can be bought and sold normally. For obfuscated source code, you need to avoid it.

4. When investing, check the distribution of Holders. If there is an obvious concentration of funds, try to avoid choosing this currency.

5. Check the source of funds of the contract issuer, trace back 10 hops as far as possible, and check whether the source of funds of the contract issuer comes from a suspicious exchange.

6. Pay attention to the warning information released by TenArmor and stop losses in time. TenArmor has the ability to detect such Scam Tokens in advance. Pay attention to TenArmor's X account to obtain timely warnings.

The malicious addresses involved in these Rugpull events will be entered into the TenTrace system in real time. The TenTrace system is an anti-money laundering system (AML) independently developed by TenArmor, which is suitable for multiple scenarios such as anti-money laundering, anti-fraud, and attacker identity tracking. The TenTrace system has currently accumulated address library information of Scam/Phishing/Exploit on multiple platforms, which can effectively identify the inflow of funds from black addresses and accurately monitor the outflow of funds from black addresses. TenArmor is committed to improving the security environment of the community and welcomes partners with needs to discuss cooperation.

About TenArmor

TenArmor is your first line of defense in the Web3 world. We provide advanced security solutions focused on solving the unique challenges presented by blockchain technology. Through our innovative products ArgusAlert and VulcanShield, we ensure real-time protection and rapid response to potential threats. Our team of experts is well-versed in everything from smart contract auditing to cryptocurrency tracing, making us the partner of choice for any organization looking to protect their digital assets in the decentralized space.

Follow us @TenArmorAlert to get our latest Web3 security alerts.

Welcome to contact us:

X: @TenArmor

Mail: team@tenarmor.com

Telegram: TenArmorTeam

Medium: TenArmor

About GoPlus

As the first on-chain security protection network, GoPlus aims to provide every user with the most easy-to-use and comprehensive on-chain security protection to ensure the security of every transaction and asset of the user.

The security service architecture is mainly divided into GoPlus APP (web and browser plug-in products) directly for C-end users and GoPlus Intelligence that indirectly serves C-end users (through B-end integration or access). It has covered the widest range of Web3 user groups and various transaction scenarios, and is committed to building an open, user-driven on-chain security protection network:

On the one hand, any project can provide on-chain security protection for users by connecting to GoPlus. On the other hand, GoPlus also allows developers to make full use of their own advantages and deploy innovative security products to the GoPlus security market. Users can independently choose and configure convenient and personalized security services, thereby building an open, decentralized security ecosystem for collaboration between developers and users.

Currently, GoPlus has become the preferred security partner of Web3 Builders. Its on-chain security services are widely adopted and integrated by Trust Wallet, CoinMarketCap, OKX, Bybit, DexScreener, SushiSwap, etc., with an average daily call of more than 34 million times and a cumulative call of more than 4 billion times, covering more than 90% of users' on-chain transactions. Its open security application platform has also served more than 12 million on-chain users.

Our Community:

X: @GoPlusSecurity

Discord: GoPlusSecurity

Medium: GoPlusSecurity

This article is from a contribution and does not represent the views of BlockBeats