Understanding the Rugpull Scheme Behind the $15 Million Loss

CN
深潮TechFlow
Follow
6 hours ago

Don't Step on Landmines Again.

Author: Ada

TenArmor and GoPlus have powerful Rugpull detection systems. Recently, the two have joined forces to conduct in-depth risk analysis and case studies in response to the serious situation of recent Rugpulls, revealing the latest tactics and trends of Rugpull attacks, and providing users with effective safety protection advice.

Rugpull Incident Statistics

TenArmor's detection system detects a large number of Rugpull incidents every day. Looking back at the data from the past month, Rugpull incidents have shown an upward trend, especially on November 14, when there were as many as 31 Rugpull incidents in one day. We believe it is necessary to expose this phenomenon to the community.

The losses from these Rugpull incidents mostly fall within the range of 0 - 100K, with a total loss of 15M.

The most typical type of Rugpull in the Web3 field is the PiXiu scheme. GoPlus's Token security detection tool can detect whether a token is a PiXiu scheme. In the past month, GoPlus has detected a total of 5688 PiXiu schemes. More security-related data can be accessed on GoPlus's data dashboard in DUNE.

TL;DR

Based on the characteristics of current Rugpull incidents, we summarize the prevention points as follows.

  1. Do not blindly follow trends. When purchasing popular tokens, check whether the token's address is legitimate to avoid buying counterfeit tokens and falling into scam traps.

  2. When participating in new token launches, conduct due diligence to see if the initial traffic comes from addresses associated with the contract deployer. If so, it may indicate a scam trap, and you should avoid it as much as possible.

  3. Review the contract's source code, especially be wary of the implementation of the transfer/transferFrom functions to see if normal buying and selling can occur. Avoid obfuscated source code.

  4. When investing, check the distribution of holders. If there is a significant concentration of funds, avoid it as much as possible.

  5. Investigate the source of funds for the contract publisher, tracing back as far as possible (10 hops) to see if the funds come from suspicious exchanges.

  6. Pay attention to the early warning information released by TenArmor to stop losses in a timely manner. TenArmor has the ability to detect such Scam Tokens in advance; follow TenArmor's X account for timely alerts.

  7. The TenTrace system has accumulated address database information for scams/phishing/exploits across multiple platforms, effectively identifying the inflow and outflow of funds from blacklisted addresses. TenArmor is committed to improving the community's security environment and welcomes partners in need to discuss cooperation.

Characteristics of Rugpull Incidents

Through the analysis of numerous Rugpull incidents, we have identified the following characteristics of recent Rugpulls.

Impersonating Well-Known Tokens

Since November 1, TenArmor's detection system has identified 5 Rugpull incidents impersonating the PNUT token. According to this tweet, PNUT began operations on November 1 and skyrocketed by 161 times within 7 days, successfully attracting investors' attention. The timing of PNUT's operation and surge coincides closely with when scammers began impersonating PNUT. Scammers chose to impersonate PNUT to lure more unsuspecting individuals.

The total amount defrauded in the Rugpull incidents impersonating PNUT is 103.1K. TenArmor reminds users not to blindly follow trends and to check whether the token's address is legitimate when purchasing popular tokens.

Targeting New Token Bots

The issuance of new tokens or projects usually attracts significant market attention. When new tokens are first issued, price fluctuations can be extreme, with prices varying greatly from one second to the next, making speed a key target for profit. Trading bots, with their superior speed and responsiveness compared to human traders, are currently in high demand for new token launches.

However, scammers have also keenly noticed the presence of numerous new token bots and have set traps for them. For example, the address 0xC757349c0787F087b4a2565Cd49318af2DE0d0d7 has initiated over 200 scam incidents since October 2024, with each incident from deploying trap contracts to Rugpulls concluding within a few hours.

Taking the most recent scam incident initiated by this address as an example, the scammer first created the FLIGHT token using 0xCd93, then created a FLIGHT/ETH trading pair.

Once the trading pair was created, a large number of Banana Gun new token bots rushed in to exchange small amounts of tokens. Analysis reveals that these new token bots are all controlled by the scammers, aimed at creating traffic.

After about 50 small transactions, the created traffic attracted real investors, most of whom also used Banana Gun new token bots for trading.

After trading for a while, the scammers deployed a contract for the Rugpull. It can be seen that the funds for this contract came from address 0xC757. Just 1 hour and 42 minutes after deploying the contract, the Rugpull occurred, draining the liquidity pool and netting a profit of 27 ETH.

Analyzing the scammer's tactics reveals that they first created traffic through small exchanges to attract new token bots, then deployed the Rugpull contract, and once the profits reached expectations, they executed the Rugpull. TenArmor believes that while new token bots can facilitate and expedite the purchase of new tokens, one must also consider the presence of scammers. When participating in new token launches, conduct due diligence to see if the initial traffic comes from addresses associated with the contract deployer; if so, avoid it.

Hidden Secrets in Source Code

Transaction Taxation

The following is the implementation code of the transfer function for FLIGHT. It is evident that this transfer implementation differs significantly from the standard implementation. Each transfer must determine whether to impose a tax based on current conditions. This transaction tax restricts both buying and selling, which is likely indicative of a scam token.

In such cases, users only need to check the token's source code to uncover the clues and avoid falling into traps.

Code Obfuscation

In TenArmor's latest and significant Rug Pull incident review: How should investors and users respond article, it is mentioned that some scammers intentionally obfuscate the source code to make their intentions less understandable. When encountering such situations, avoid them immediately.

Brazen rugApproved

Among the numerous Rugpull incidents detected by TenArmor, there are many brazen cases. For example, this transaction directly indicates the intention.

There is usually a time window from when the scammer deploys the contract for the Rugpull to when the actual Rugpull occurs. For example, in this case, the time window is nearly 3 hours. To prevent this type of scam, you can follow TenArmor's X account, where we will promptly send deployment notifications for such risky contracts, reminding users to withdraw their investments in a timely manner.

In addition, rescueEth/recoverStuckETH are also commonly used Rugpull interfaces. However, having this interface does not necessarily mean it is a Rugpull; other characteristics must be combined to identify it.

Holder Concentration

Recently, TenArmor has detected that the distribution of holders in Rugpull incidents is also very characteristic. We randomly selected the holder distribution of 3 tokens involved in Rugpull incidents. The situations are as follows.

0x5b226bdc6b625910961bdaa72befa059be829dbf5d4470adabd7e3108a32cc1a

0x9841cba0af59a9622df4c0e95f68a369f32fbdf6cabc73757e7e1d2762e37115

0x8339e5ff85402f24f35ccf3b7b32221c408680421f34e1be1007c0de31b95f23

In these 3 cases, it is not difficult to find that the Uniswap V2 pair is the largest holder, holding an absolute advantage in the number of tokens. TenArmor reminds users that if they find that a token's holders are concentrated in a specific address, such as the Uniswap V2 pair, then trading that token should be approached with caution.

Source of Funds

We randomly selected 3 Rugpull incidents detected by TenArmor to analyze the source of funds.

Case 1

tx: 0x0f4b9eea1dd24f1230f9d388422cfccf65f45cf79807805504417c11cf12a291

Tracing back 6 hops reveals the inflow of funds from FixedFloat.

FixedFloat is an automated cryptocurrency exchange that does not require user registration or KYC verification. Scammers choose to introduce funds from FixedFloat to hide their identity.

Case 2

tx: 0x52b6ddf2f57f2c4f0bd4cc7d3d3b4196d316d5e0a4fb749ed29e53e874e36725

Tracing back 5 hops reveals the inflow of funds from MEXC 1.

On March 15, 2024, the Hong Kong Securities and Futures Commission issued a warning about the platform MEXC, stating that MEXC actively promoted its services to Hong Kong investors without obtaining a license from the SFC or applying for one. The SFC has included MEXC and its website in the list of suspicious virtual asset trading platforms as of March 15, 2024.

Case 3

tx: 0x8339e5ff85402f24f35ccf3b7b32221c408680421f34e1be1007c0de31b95f23

Tracing back 5 hops reveals the inflow of funds from Disperse.app.

Disperse.app is used to distribute ETH to different contract addresses (distribute ether or tokens to multiple addresses).

Analysis of the transaction reveals that the caller of this Disperse.app transaction is 0x511E04C8f3F88541d0D7DFB662d71790A419a039. Tracing back 2 hops reveals the inflow of funds to Disperse.app.

Analysis of the transaction shows that the caller of this Disperse.app transaction is 0x97e8B942e91275E0f9a841962865cE0B889F83ac. Tracing back 2 hops reveals the inflow of funds from MEXC 1.

Analyzing these 3 cases, it is evident that the scammers chose to deposit funds through exchanges that do not require KYC and are unlicensed. TenArmor reminds users to check whether the source of funds for the contract deployer comes from suspicious exchanges when investing in new tokens.

Preventive Measures

Based on the data sets from TenArmor and GoPlus, this article comprehensively outlines the technical characteristics of Rugpulls and presents representative cases. In response to the above Rugpull characteristics, we summarize the corresponding preventive measures as follows.

  1. Do not blindly follow trends. When purchasing popular tokens, check whether the token's address is legitimate to avoid buying counterfeit tokens and falling into scam traps.

  2. When participating in new token launches, conduct due diligence to see if the initial traffic comes from addresses associated with the contract deployer. If so, it may indicate a scam trap, and you should avoid it as much as possible.

  3. Review the contract's source code, especially be wary of the implementation of the transfer/transferFrom functions to see if normal buying and selling can occur. Avoid obfuscated source code.

  4. When investing, check the distribution of holders. If there is a significant concentration of funds, avoid selecting that token as much as possible.

  5. Investigate the source of funds for the contract publisher, tracing back as far as possible (10 hops) to see if the funds come from suspicious exchanges.

  6. Pay attention to the early warning information released by TenArmor to stop losses in a timely manner. TenArmor has the ability to detect such Scam Tokens in advance; follow TenArmor's X account for timely alerts.

The malicious addresses involved in these Rugpull incidents will be entered into the TenTrace system in real-time. The TenTrace system is an anti-money laundering (AML) system independently developed by TenArmor, applicable to multiple scenarios such as anti-money laundering, anti-fraud, and attacker identity tracking. The TenTrace system has accumulated address database information for scams/phishing/exploits across multiple platforms, effectively identifying the inflow of funds from blacklisted addresses and accurately monitoring the outflow of funds from those addresses. TenArmor is committed to improving the community's security environment and welcomes partners in need to discuss cooperation.

About TenArmor

TenArmor is your first line of defense in the Web3 world. We provide advanced security solutions focused on addressing the unique challenges posed by blockchain technology. Through our innovative products ArgusAlert and VulcanShield, we ensure real-time protection and rapid response to potential threats. Our expert team is proficient in everything from smart contract auditing to cryptocurrency tracking, making us the preferred partner for any organization looking to protect its digital assets in the decentralized space.

Follow us @TenArmorAlert for timely updates on our latest Web3 security alerts.

Feel free to contact us:

X: @TenArmor

Mail: team@tenarmor.com

Telegram: TenArmorTeam

Medium: TenArmor

About GoPlus

GoPlus, as the first on-chain security protection network, aims to provide every user with the most user-friendly and comprehensive on-chain security assurance to ensure the safety of every transaction and asset.

The security service architecture is mainly divided into the GoPlus APP (web and browser extension products) directly facing end users and GoPlus Intelligence, which indirectly serves end users (through B-end integration or access). It has covered the widest range of Web3 user groups and various trading scenarios, dedicated to building an open, user-driven on-chain security protection network:

On one hand, any project can independently provide on-chain security protection for users by integrating with GoPlus. On the other hand, GoPlus also allows developers to fully leverage their advantages to deploy innovative security products to the GoPlus security market, enabling users to choose and configure convenient, personalized security services, thus building an open decentralized security ecosystem for collaboration between developers and users.

Currently, GoPlus has become the preferred security partner for Web3 builders, with its on-chain security services widely adopted and integrated by Trust Wallet, CoinMarketCap, OKX, Bybit, DexScreener, SushiSwap, and others, averaging over 34 million calls per day, with a total of over 4 billion calls, covering more than 90% of users' on-chain transactions. Its open security application platform has also served over 12 million on-chain users.

Our community:

X: @GoPlusSecurity

Discord: GoPlusSecurity

Medium: GoPlusSecurity

免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。

Share To

Related Articles

avatar
avatarOdaily星球日报
17 minutes ago
Weekly Financing Update | 21 projects received investment, with a disclosed total financing amount of approximately $173 million (11.25-12.1)
avatar
avatar深潮TechFlow
25 minutes ago
Monad Wiki, this is where you start to understand Monad.
avatar
avatar深潮TechFlow
28 minutes ago
Decrypting AICoin: Behind the 83% win rate, which coins are the most profitable?
avatar
avatarPANews
37 minutes ago
Is the narrative of altcoin ETFs starting? XRP surges strongly, and the demand for crypto ETPs in the European and American markets skyrockets.
avatar
avatarPANews
41 minutes ago
Why is it said that Ethereum might return to the PoW era?
APP

X

Telegram

Facebook

Reddit

CopyLink