Rug Pull

The most direct method where developers withdraw the liquidity pool (LP) tokens from a decentralized exchange (DEX), making the token impossible to sell. This is often preceded by a pump created by hype, after which the developers dump their holdings and remove all liquidity, crashing the price to zero.

• Mechanism: The deployer calls removeLiquidity() or transfers LP tokens to a wallet they control.
• Prevention: Look for locked liquidity via a trusted third-party locker (e.g., Unicrypt) and check if LP tokens are burned or sent to a dead address.

A malicious contract includes a mint() function or other privilege that allows the owner to create an unlimited supply of new tokens at will. After attracting investment, the owner mints and dumps massive quantities, instantly devaluing all other holders' tokens.

• Key Indicator: The contract code is not verified on the block explorer, hiding the function from view.
• Due Diligence: Always review the verified contract source code on Etherscan or similar explorers. Search for owner-only functions like mint, setMinter, or whitelist.

A smart contract is programmed to prevent sells while allowing buys. Investors can purchase the token but cannot sell it, trapping their funds. Variations include blacklisting specific functions for all but the owner or imposing extreme sell taxes (e.g., 99%).

• How it Works: The transfer or transferFrom function contains logic that reverts transactions from non-whitelisted addresses.
• Testing: Attempt a test sell with a very small amount on a testnet or after launch to verify sell functionality before committing significant capital.

Contracts with excessive centralized owner privileges pose a critical risk. Owners may have the ability to:

• Change transaction fees to 100%
• Pause trading
• Upgrade the contract to a malicious version
• Withdraw any ERC-20 tokens sent to the contract

While proxy/upgradeable contracts are legitimate for iterative development, they can be abused if the proxy admin key is not relinquished or placed in a timelock.

A less abrupt scam where developers slowly extract value over time instead of a single catastrophic event. Techniques include:

• Siphoning fees: Taking a disproportionate share of transaction or reflection fees.
• Dumping vesting tokens: Selling allocated "team" or "marketing" tokens on a regular schedule.
• Rugging the treasury: Gradually draining funds from the project's multi-signature wallet under the guise of "development costs."

This method is designed to avoid sudden panic and can prolong the scam for weeks or months.

The technical scam is enabled by fraudulent marketing and identity fabrication. Common tactics include:

• Fake KYC/Doxxing: Using stolen identities or deepfakes for "public" team members.
• Spoofed Audits: Forging audit reports or paying for a superficial review from a disreputable firm.
• Pump Groups & Shilling: Coordinating with influencers and Telegram groups to create artificial hype and FOMO (Fear Of Missing Out) before the pull.

The absence of a verifiable, credible team with public LinkedIn/GitHub histories is a major red flag.

The most direct form of rug pull, where a developer uses administrative privileges or a hidden backdoor to withdraw all liquidity pool tokens (e.g., LP tokens) from a decentralized exchange. This instantly crashes the token's price to zero, as users can no longer sell. It often involves renouncing ownership of a contract as a false signal of security, only after setting up a malicious function.

A developer retains the ability to mint unlimited new tokens via a privileged function in the smart contract. They can then dump these newly created tokens on the market, hyper-inflating the supply and destroying the value of all other holders' assets. This is a soft rug pull that can be executed gradually to avoid immediate detection.

A deceptive smart contract is deployed that appears to function normally but contains code that prevents users from selling their tokens. Common mechanisms include blacklisting the seller's address upon a sell attempt or implementing a fee that makes selling economically impossible (e.g., a 100% transfer tax). This traps investor funds while the developer can still sell.

Warning signs include:

• Unaudited Code: No reputable third-party smart contract audit.
• Centralized Control: Lack of a multisig wallet or timelock for treasury/owner functions.
• Anonymous Teams: No public, doxxed founders with verifiable reputations.
• Unrealistic Returns: Promises of guaranteed, outsized yields (APY).
• Low Liquidity Lock: Liquidity is locked for a very short period or not at all on a service like Unicrypt or Team Finance.

A more insidious, long-term exit strategy where developers gradually extract value from the project's treasury or revenue streams over time, rather than executing a single dramatic exit. This can involve excessive developer fees, selling vested team tokens ahead of schedule, or failing to deliver on roadmap promises while continuing to collect fees.

Understanding related mechanisms is key to defense:

• Smart Contract Audit: A line-by-line review of code by security experts.
• Timelock: A delay on privileged functions, giving users time to react.
• Multisig Wallet: Requires multiple signatures for treasury transactions.
• Liquidity Lock: Committing LP tokens to a time-locked contract.
• Renounced Ownership: The developer gives up all control of a contract, a common but not foolproof signal.

A pump-and-dump scheme disguised as a play-to-earn game token inspired by the Netflix series. The project implemented a sell restriction in its smart contract, preventing most investors from selling their tokens. After a massive price surge, the developers executed a hard rug pull, draining the liquidity pool and abandoning the project, causing the token's value to crash to near zero. This case highlighted the dangers of tokens with artificial trading restrictions.

A vampire attack project that raised 8,706 ETH (approx. $60M at the time) in a Liquidity Bootstrapping Pool (LBP) on OlympusDAO's platform. Within 20 hours of the fundraise concluding, the deployer wallet transferred all raised ETH to a new address and vanished. This was a pure exit scam with no product ever developed. The incident exposed risks in the LBP fundraising model and the need for enhanced multisig or timelock controls on treasury funds.

A bank run-induced collapse often categorized as a soft rug pull or economic failure. The IRON stablecoin, partially backed by the TITAN governance token, experienced a death spiral when large holders (whales) massively redeemed IRON for its underlying assets. This crashed TITAN's price, breaking the stablecoin's peg, and caused a panic sell-off that drained liquidity. While not a malicious exit scam, it demonstrated how poorly designed tokenomics can lead to a de facto rug pull.

One of the first major NFT rug pulls. The developers of the Frosties NFT collection minted out their 8,888 NFTs, promoted the project's roadmap, and then abruptly shut down the website and social channels after the sale, making off with approximately $1.3 million in ETH. The perpetrators were later arrested and charged with wire fraud and money laundering, marking a significant early case of law enforcement action against NFT-based rug pulls.

A DeFi protocol rug pull where the developers behind the Merlin DEX on Polygon and Fantom allegedly exploited their own platform. After attracting liquidity, they used the protocol owner's administrative privileges to mint unlimited MAGE tokens, dumped them on the market, and drained liquidity pools. This case underscored the critical risk of centralized control and unrenounced owner functions in supposedly decentralized applications.

A voting manipulation rug pull targeting the BSC Token Hub governance system. The attacker created a malicious token and proposal, then used a flash loan to borrow a massive amount of BNB, temporarily granting them enough voting power to pass their own proposal. The proposal granted them all the tokens from the hub's treasury, which they stole after the vote passed. This exploited a specific vulnerability in on-chain governance mechanics.

A malicious smart contract that appears normal but contains hidden logic preventing users from selling their tokens. Unlike a classic rug pull, funds are not immediately drained from the liquidity pool. Instead, investors can buy but cannot sell, trapping their capital. This is often combined with a rug pull after the contract accumulates sufficient buy volume.

• Example: A contract with a modified transfer function that blocks transactions from non-whitelisted addresses.

An organization governed by smart contracts and member votes, often proposed as a structural defense against rug pulls. By placing treasury control and key protocol functions under multi-signature wallets or on-chain governance, no single entity can unilaterally execute a scam. However, DAOs can still be vulnerable to governance attacks or exploits if the underlying code is flawed.

An exploit where an attacker borrows a large amount of capital without collateral (using flash loans) to manipulate a protocol's pricing or governance, often leading to massive, instantaneous fund drainage. While distinct from a developer-executed rug pull, the result for users—sudden, total loss of funds—is similar. These attacks exploit logical flaws in DeFi composability and oracle dependencies.