Bankless: A Review of the Top Ten On-Chain Rug Pull Projects in the Crypto Space, Mainly from the Last Bull Market

Source: Bankless

Original Title: Top 10 Rug Pulls

Original Author: 563

Translated by: Zen, PANews

If you have been deeply involved in the DeFi space for many years, you must have experienced more scams and hacks than you can imagine. This is the risk we take when interacting at the forefront of financial technology.

Among all the traps in DeFi, the most painful are often Rug Pulls. These internal vulnerabilities, also known as exit scams, occur when insiders exploit user trust to steal their assets. They typically happen through malicious code embedded in smart contracts, allowing developers to drain these contracts or user wallets.

This article will review the top 10 largest Rug Pull projects in recent years based on the on-chain Rug Pulls leaderboard from DefiLlama.

Jay Pegs Auto Mart

Loss Amount: $3.1 million

Date: September 17, 2021

Blockchain: Ethereum

Method: Malicious replacement of deposit address

The frontend of the Sushiswap IDO platform Miso was attacked. An anonymous contractor injected malicious code into the Miso frontend, replacing the auction wallet with their own wallet address, resulting in the theft of 864.8 ETH (approximately $3.07 million). The auction affected by this attack was for the DONA token of the Jay Pegs Auto Mart project. Subsequently, the SushiSwap team quickly fixed the vulnerability, and after tracking the attacker and requesting FBI intervention, all funds were soon returned.

Dragoma

Loss Amount: $3.5 million

Date: August 8, 2022

Chain: Polygon

Method: Withdrawal of funds

Similar to the once-popular STEPN, Dragoma, based on the Polygon network, is also a blockchain game focusing on the move-to-earn concept, where players can receive dinosaur eggs for free and hatch them into NFTs to earn rewards, including DMA tokens. On August 8, 2022, Dragoma allegedly experienced a Rug Pull, with DMA plummeting from $1.8 to $0.002, a drop of 99.82%. Subsequently, its official Twitter account displayed "This account does not exist." Notably, the DMA token had been listed on the cryptocurrency exchange MEXC for less than 24 hours before this crash occurred.

Magnate Finance

Loss Amount: $6.4 million

Date: August 25, 2023

Chain: Base

Method: Contract vulnerability

On August 25, 2023, on-chain detective ZachXBT issued a warning that the Base ecosystem lending protocol Magnate Finance might soon experience an exit scam, stating that the deployer address of Magnate Finance had direct links to the Solfire exit scam. Shortly after, the website and social media platforms of the Base ecosystem lending protocol Magnate Finance became inaccessible. Its Telegram group was also deleted. ZachXBT further noted that the deployer’s on-chain address was also linked to the Kokomo Finance exit scam.

According to an incident investigation released by PieShield, Magnate Finance conducted a Rug Pull by directly manipulating price oracles, resulting in a loss of approximately $6.5 million. Beosin Alert monitoring also indicated that the deployer address of Magnate Finance was related to previous Rug Pulls involving Solfire and Kokomo Finance. The scammer stole a total of $16.7 million.

New blockchain networks are like the Wild West of America; exercising caution and adhering to audits and time-tested protocols can help mitigate risks.

Arbix Finance

Loss Amount: $10 million

Date: January 4, 2022

Chain: BNB

Method: Contract vulnerability

The liquidity mining protocol Arbix Finance, based on Binance Smart Chain, was promoted as a way to "achieve the best returns with low risk," while Arbix profited from user deposits. In the early hours of January 4, 2022, approximately $10 million of user funds were drained, and the project's social media and website were shut down. Shortly after, the team injected $4.5 million worth of ARBX tokens into PancakeSwap, causing its price to plummet from $1.42 to zero.

According to an incident analysis by CertiK, the Arbix Finance project exhibited too many warning signs. The ARBX contract had only the owner function of mint(), with 10 million ARBX tokens minted to 8 addresses. CertiK also confirmed that 4.5 million ARBX were minted to one address and later transferred. Another warning sign was the $10 million of user funds, which were directed to unverified pools after being deposited, allowing hackers to gain full access and steal the $10 million in assets.

Compounder Finance

Loss Amount: $12 million

Date: December 2, 2020

Chain: Ethereum

Just a few months after the DeFi summer boom, investor sentiment was high, and yields were impressive. Compounder Finance, developed by a group of anonymous developers, attracted some user attention, and it was no different from countless other protocols hoping to enter the liquidity mining craze. Surprisingly, the culprit behind the theft of over $12 million from its users was not a hacker but the project team itself. After completing an audit, the team added seven malicious strategy contracts to its codebase, marking a particularly egregious DeFi exit scam.

The difference was that after the audit, they added a malicious backdoor to the contacts. This backdoor allowed the developers to steal all user funds deposited into the protocol—approximately worth $12 million. Since then, auditing practices have had to adjust, focusing not only on external threats but also on internal threats. Following the incident, Rekt news and @vasa_develop shared detailed accounts of the event.

Snowdog

Loss Amount: $18.1 million

Date: November 25, 2021

Chain: Avalanche

Method: Contract vulnerability

Avalanche Rush brought $180 million in incentives to the ecosystem, attracting a flock of crypto enthusiasts to a new chain, coinciding with the popularity of Dogecoin. The meme project Snowdog on the Avalanche chain garnered much attention, claiming to create a reserve currency supported by protocol-owned liquidity.

This incident was a typical "Rug Pull." Insiders allegedly exploited a hidden "challengeKey" to sell off large amounts of SDOG Token through Snowswap around 6 AM, profiting $17 million and causing the SDOG price to drop 90% within half an hour. TechnoArtoria pointed out that the contract code of Snowswap had not been thoroughly reviewed, and only insiders knew about the "challengeKey," which they used for massive token sales.

StableMagnet

Loss Amount: $27 million

Date: June 23, 2021

Chain: BNB Chain

Method: Contract vulnerability and user wallets

The DeFi project StableMagnet promised high returns on stablecoins and attracted tens of millions in TVL investment before launching its "novel carpet method."

The issue did not lie within the project's own smart contract but in the underlying function library called SwapUtils Library. The project team implanted a backdoor in the underlying function library, allowing them to transfer assets directly through the backdoor of the underlying functions, regardless of whether the project's smart contract code was secure or had a time lock.

After the incident, one of the victims, DeFi KOL Ogle, along with a community investigation team, conducted a thorough search, ultimately leading to the arrest of project members by the British police, who recovered approximately $22.5 million in assets.

Paid Network

Loss Amount: $27 million

Date: March 5, 2021

Chain: Ethereum

Method: Infinite minting and selling

The decentralized application Paid Network aimed to provide a new way to conduct business through its proprietary SMART protocol, community-managed arbitration system, reputation scoring, and DeFi tools.

On March 6, 2021, Beijing time, the PAID Network official tweeted that the contract had been hacked. Since the PAID Network project used an upgradable storage proxy contract model, the attacker exploited the owner permissions of the PAID Network proxy contract to deploy a malicious logic contract, stealing over 59 million PAID tokens.

It was reported that the vulnerability allowing the contract owner to freely mint additional tokens had been discovered and pointed out by users long ago, with Twitter user @WARONRUGS (now deleted) having tweeted about this vulnerability.

Meerkat Finance

Loss Amount: $32 million

Date: March 4, 2021

Chain: BNB Chain

Method: Contract vulnerability

The DeFi project Meerkat Finance on the Binance BSC chain gained $13 million in BUSD and 73,000 BNB in revenue just one day after its launch, valued at approximately $31 million, and then these funds were immediately taken away by the project team.

Meerkat Finance initially claimed it was a hacker attack, but the project team later deleted their accounts.

The deployer of Meerkat Finance upgraded the project's two vaults. The attacker's address called the unpermissioned initialization function through the Vault proxy, effectively allowing anyone to become the owner of the Vault. The attacker then drained the vault by calling a function signed as 0x70fcb0a7, which accepted a token address as input. The decompilation of the upgraded smart contract showed that the sole purpose of the called function was to remove funds with the owner as the beneficiary. Given that the upgrade was completed by the Meerkat Finance deployer, considering all aspects of on-chain data, the most likely scenario for this incident is a deliberate exit scam, with the possibility of a private key leak being very low.

AnubisDAO

Loss Amount: $60 million

Date: October 29, 2021

Chain: Ethereum

Method: Contract vulnerability

One day after the launch of the OHM fork project AnubisDAO on Copper Launch, the liquidity pool was withdrawn, allegedly leading to an exit scam, with over 13,556 ETH transferred to address @0x9fc, valued at approximately $58.3 million. Soon after, the project's Twitter account ceased activity.

In March of this year, the address of the AnubisDAO attacker (marked as AnubisDAO exploiter 3) transferred 2,500 W ETH to an address starting with "0x0D19" and laundered 2,400 ETH (approximately $376,000) through Tornado Cash; in May, the EOA address related to the scam incident (0xa570d…) transferred approximately 3,000 ETH (about $5.9 million) into Tornado Cash.

Conclusion

Behind these frustrating data on stolen funds, we can also see a positive side—most of the funds lost in the investigated incidents occurred before 2022. In fact, in this top ten list, the funds lost in 2021 accounted for 84% of the total.

What does this teach us? Overall, auditing firms have learned from painful lessons that they must adapt quickly to maintain a good reputation. Additionally, members of the crypto community who have been attacked in the past can delve into the code more quickly and identify suspicious teams with a higher hit rate.

After repeated occurrences of Rug Pulls, the antifragility of DeFi has made it stronger, meaning that when exposed to volatility, randomness, chaos, stress, risk, and uncertainty, it can thrive and grow, ultimately moving in the right direction over time. Will there come a day when unknown teams no longer profit from ill-gotten gains? This is certainly unrealistic. As long as there is profit to be made, bad actors will continue to challenge the bottom line, but the direction we are developing is undoubtedly correct.