18 March 2021
The “Summer of DeFi” began in June of 2020 with the rise of yield farming - a colloquial term used by crypto enthusiasts which refers to the passive income opportunities afforded by DeFi protocols such as Compound, Curve, Balancer, Sushi, and so on. These protocols began incentivizing their users with their own governance tokens, which led to a boom that is still underway. While there are some perfectly legitimate yield farming opportunities out there, a disturbing new trend is emerging that investors must be aware of: rug pulls.
To understand what a rug pull is - we first need to grasp the concept of DeFi “Vaults”. The first “Vault” contract was deployed this past summer by Yearn. Essentially, a “Vault” is a smart contract that allows a protocol to move funds between strategies without any action required of the user. The user simply deposits their funds into the Vault, and the Vault will optimize yield farming earnings automatically - along with the reinvestment of all proceeds,taking a small percentage of yield earnings along the way. In order for a smart contract to move funds around, it must tie in with another smart contract known as a deployer contract. The deployer is the portion of the contract which causes the active strategy to change, whereas the Vault itself simply holds and/or reinvests the principle.
A rug pull is when a project siphons off some or all of the funds held in a Vault smart contract. These rug pulls are nearly always deployed by anonymous Dev teams. Once a rug pull occurs, developers typically abandon the projects - leaving investors empty handed.
Scammers are quite creative, and have figured out a number of different ways to conduct these rug pulls, most likely to occur in one of following ways:
- Near infinite token minting
- Token migration scams
- Manipulated deployer contracts
Near infinite token, minting is both the most common and most straightforward method of rug pulling. This type of rug pull occurs when a con token developer mints an inordinately large amount of tokens then proceeds to dump them onto the market - driving the value of the token to near-zero. Investors providing liquidity to these pools are left holding a massive number of worthless tokens. These scams often lure investors with three-to-four digit APRs, and then mercilessly dump - capturing millions of dollars in the process.
Next we have token migration scams - a more sophisticated method of scam. These are modeled after Sushiswap - a perfectly legitimate fork of Uniswap - which incentivized Uniswap LP tokens and then conducted an automatic “migration” of liquidity to its own exchange. This brand of scam will market itself as a new Decentralized Exchange, will typically incentivize Uniswap (or Sushiswap) LP tokens, and advertise a token migration similar to the one Sushiswap conducted. However, instead of actually migrating to a new exchange, the funds are migrated right to the scammer’s wallet. Permissionless movement of funds like this is extremely risky, and Sushi’s own migration was rough - to say the least.
The last and most sophisticated form of rug pull comes through faulty Vault and Deployer smart contracts. These scammers will put migration code in the deployer contract that allows them to illegitimately withdraw funds to an external wallet - similar to an “exit” button, if you will. Such a scam is what Meerkat finance attempted to pull off (before being shut down by BSC’s overseers).
Unfortunately, rug pulls have become a regular occurrence in the DeFi space. Crypto is still mostly unregulated - making it the “Wild West” of finance. Investors in unregulated markets are at increased risk and must take extreme caution when evaluating opportunities. Here are a few things as an investor you should be looking for to know that a token or platform is taking security seriously
Audited Smart Contracts
While this isn’t completely foolproof, code audits provide you with a first line of defense against attacks. Knowing that code has been thoroughly reviewed by at least one reputable auditing company means that the development team is serious about security, and that code errors have been caught. This helps to protect against rug pulls and smart contract code errors alike.
Fully Verified Developers
While there are some legitimate projects that have anonymous Devs, that anonymity creates a trust gap. A good rule of thumb is to use platforms with publicly known team members, whose real name and image is available. Such transparency creates inherent accountability, and provides users with the opportunity for legal recourse if a rug-pull (or other loss of funds) occurs.
Some platforms and projects have taken to insuring their AUM on behalf of their investors, underwriting the risks for smart contract exploits. This is a rare feature, only offered by the best projects due to its expense. If a platform does not automatically insure funds, you could take out a policy of your own on a site like Nexus Mutual.
Invest smartly, do thorough research, and be vigilant. Follow channels such as the war on rugs - which keeps up-to-date information on the latest rug pulls and other scams. Tens of millions of dollars have been stolen or otherwise lost this year due to exploits and rug pulls. Don’t be one of the investors who lose out!