This article will take stock of the 10 largest Rug Pulls projects in recent years based on DefiLlama’s on-chain Rug Pulls list.
Written by: Bankless
Compiled by: Zen, PANews
If you have been involved in the DeFi field for many years, you must have experienced more scams and hackers than you imagine. This is the risk we take when interacting at the forefront of financial technology.
Of all the pitfalls of DeFi, the most stinging are often rug pulls. Also known as exit scams, these insider vulnerabilities occur when project insiders take advantage of users’ trust to steal their assets. They often occur through malicious code sneaking into smart contracts, allowing developers to drain those contracts or user wallets.
This article will take stock of the 10 largest Rug Pulls projects in recent years based on DefiLlama’s on-chain Rug Pulls list.
Jay Pegs Auto Mart
Amount of loss: $3.1 million
Date: September 17, 2021
Blockchain:Ethereum
Method: The deposit address was maliciously replaced
The front-end of Sushiswap IDO platform Miso was attacked. An anonymous contractor injected malicious code into the Miso front-end, and the attacker replaced the auction wallet with his own wallet address, resulting in the theft of 864.8 ETH (approximately $3.07 million). The auction that suffered this attack was the DONA token auction of the Jay Pegs Auto Mart project. The SushiSwap team immediately fixed the vulnerability, and after tracking the attackers and requesting FBI intervention, all funds were quickly returned.
Dragoma
Amount of loss: $3.5 million
Date: August 8, 2022
Chain: Polygon
Method: withdraw capital
Similar to the once popular STEPN, Dragoma based on the Polygon network is also a chain game that focuses on the move-to-earn concept. Players can receive dinosaur eggs for free and hatch them into NFTs after 40 days to earn income and obtain DMA tokens. Coins and other rewards. On August 8, 2022, Dragoma was suspected of having a Rug Pull. DMA plummeted from $1.8 to $0.002, a drop of 99.82%. Subsequently, its official Twitter account also displayed "This account does not exist." It is worth mentioning that this plunge occurred less than 24 hours after the DMA token was listed on the crypto exchage MEXC.
Magnate Finance
Amount of loss: $6.4 million
Date: August 25, 2023
Chain:Base
Method: Contract vulnerability
On-chain detective ZachXBT issued a warning on August 25, 2023, saying that the Base ecological lending protocol Magnate Finance may have an exit scam soon, and said that the Magnate Finance deployer address is directly related to the Solfire exit scam. Soon after, the website and social platform of Magnate Finance, the Base ecological lending protocol, became inaccessible. Its Telegram group was also deleted. ZachXBT also stated that the deployer on-chain address was also linked to the Kokomo Finance exit scam.
According to the incident investigation released by Paidun, Magnate Finance conducted a rug pull by directly manipulating the price oracle, resulting in a loss of approximately US$6.5 million. According to Beosin Alert monitoring, the Magnate Finance deployer address is related to Solfire and Kokomo Finance where Rug Pulls occurred previously. The scammer stole a total of $16.7 million.
New blockchain networks are like America’s Wild West, and exercising caution and adhering to audits and time-tested protocols can help reduce risk.
Arbix Finance
Amount of loss: USD 10 million
Date: January 4, 2022
Chain:BNB
Method: Contract vulnerability
Arbix Finance, a liquidity mining protocol based on Binance Smart Chain, has been promoted as a way to "obtain the best returns with low risk", while Arbix uses user deposit arbitrage to earn income. In the early morning of January 4, 2022, approximately $10 million in user funds were siphoned off, and the project social networking sites and website were also shut down. Shortly after, the team injected $4.5 million in ARBX tokens into PancakeSwap, causing its price to drop from $1.42 to zero.
According to CertiK's event analysis, the Arbix Finance project showed too many red flags. The ARBX contract only has the owner function mint(), and 10 million ARBX tokens were minted to 8 addresses. CertiK also confirmed that 4.5 million ARBX were minted to an address and later transferred. Another red flag was $10 million in user funds, which were directed to an unverified pool after being deposited, and hackers eventually gained full access and stole $10 million in assets.
Compounder Finance
Amount of loss: $12 million
Date: December 2, 2020
Chain:Ethereum
Method: Contract vulnerability
Just a few months after the DeFi summer boom, investor sentiment was high and yields were high. Compounder Finance, developed by a group of anonymous developers, has attracted some user attention, and it is no different from countless other protocols hoping to enter the liquidity mining boom. Surprisingly, the culprit who had more than $12 million stolen from its users was not hackers, but the project itself. After completing the audit, the project team added 7 malicious strategy contracts to its code base, which was a very bad DeFi escape incident.
The difference is that after being audited, it added a malicious backdoor to the contacts. This backdoor allowed the developers to steal all user funds deposited into the protocol—approximately $12 million worth. Since then, auditing practices have had to adapt and refocus not only on external threats, but also on internal threats. After the incident, Rekt news and @vasa_develop shared the details of the incident.
Snowdog
Amount of loss: $18.1 million
Date: November 25, 2021
Chain:Avalanche
Method: Contract vulnerability
Avalanche Rush brought $180 million in incentives to the ecosystem and introduced hordes of crypto enthusiasts to a new chain. At a time when Dogecoin was hot, the meme project Snowdog on the Avalanche chain gained a lot of attention. , which even claims to have the vision of creating a reserve currency backed by the liquidity owned by the protocol.
This incident is a typical "Rug Pull". Project insiders are suspected of using the "challengeKey" hidden from the outside world to sell SDOG Token in large quantities in two batches around 6 a.m. this morning through Snowswap, making a profit of US$17 million, causing the price of SDOG to drop 90% in half an hour. TechnoArtoria pointed out that Snowswap's contract code had not been fully reviewed before, and only insiders knew about the "challengeKey" and used it to sell huge amounts of Tokens.
StableMagnet
Amount of loss: $27 million
Date: June 23, 2021
Chain: BNB Chain
Method: Contract vulnerabilities and user wallets
DeFi project StableMagnet promised high returns on stablecoins and attracted tens of millions of TVL investments before launching a "novel carpet approach."
This time the problem does not lie in the smart contract of the project itself, but in the underlying function library called by the smart contract. The project party implanted a backdoor in the underlying function library SwapUtils Library. Therefore, regardless of whether the smart contract code of the project itself is safe or has a time lock, the project party can directly use the backdoor of the underlying function to transfer assets.
After the incident, one of the victims of the incident, KOL Ogle in the DeFi field, and the community investigation team conducted a blanket search. Finally, the British police, who obtained the intelligence, successfully arrested the project members. The assets returned by the arrested members totaled approximately 22.5 million. Dollar.
Paid Network
Amount of loss: $27 million
Date: March 5, 2021
Chain:Ethereum
Method: Infinite Casting and Dumping
The decentralized application Paid Network aims to provide a new way to do business through the proprietary SMART protocol, community-managed arbitration system, reputation scoring, and DeFi tools.
On March 6, 2021, Beijing time, PAID Network officially tweeted that the contract was attacked by hackers. Since the PAID Network project uses an upgradeable storage agent contract model, the attacker used the PAID Network agent contract owner permissions to deploy a malicious logic contract. , and stole more than 59 million PAID tokens.
It is understood that the loophole in which contract owners can freely mint additional tokens has been discovered and pointed out by users very early. Twitter user @WARONRUGS (deleted account) once tweeted about this loophole.
Meerkat Finance
Amount of loss: $32 million
Date: March 4, 2021
Chain:BNB Chain
Method: Contract vulnerability
Meerkat Finance, a DeFi project on the Binance BSC chain, received 13 million BUSD and 73,000 BNB after one day of operation, with a current price of approximately US$31 million. These funds were immediately taken away by the project team.
Meerkat Finance initially claimed it was a hack, but the project later deleted their account
The Meerkat Finance deployer upgraded 2 vaults of the project. The attacker address calls the permissionless initialization function through the Vault proxy, effectively allowing anyone to become the Vault owner [2]. The attacker then drained the vault by calling a function signed 0x70fcb0a7, which accepted a token address as input. Upgrading to a decompilation of the smart contract shows that the only purpose of the function being called is to remove funds in favor of the owner. Since the upgrade was completed by the Meerkat Finance deployer, taking into account all aspects of the data on the chain, the most likely scenario for this incident is a deliberate escape incident, and the possibility of private key leakage is very small.
AnubisDAO
Amount of loss: $60 million
Date: October 29, 2021
Chain:Ethereum
Method: Contract vulnerability
AnubisDAO, the OHM imitation disk project launched by Copper Launch, withdrew its liquidity pool one day after it went online. It was suspected that the funds were used to escape. A total of more than 13,556 ETH was transferred to the address @0x9fc, worth approximately US$58.3 million. Shortly after, the project's Twitter account ceased activity.
In March this year, the address of the AnubisDAO attacker (labeled AnubisDAO exploiter3) transferred 2,500 WETH to the address starting with "0x0D19" and laundered 2,400 ETH (approximately US$3.76 million) through Tornado Cash; in May, the scam incident related The EOA address (0xa570d...) transferred approximately 3,000 ETH (approximately $5.9 million) to Tornado Cash. 0
Summarize
Behind these depressing data on stolen funds, we can also see a positive side - among the incidents investigated, the vast majority of fund losses occurred before 2022. In fact, in this top ten list, funds lost in 2021 accounted for 84% of the total.
What does this teach us? Overall, audit firms have learned the hard way that they must adapt quickly to maintain a good reputation. Additionally, members of the crypto community who have been compromised in the past can dive deeper into the code faster and identify suspicious teams with a higher hit rate.
After repeated rug pulls, DeFi is made stronger by its antifragility, meaning it thrives and grows when exposed to volatility, randomness, chaos and stress, risk and uncertainty , and eventually move towards the right path as time goes by. Will there come a day when unknown teams no longer make ill-gotten gains? This is of course unrealistic. As long as there is profit, bad guys will continue to challenge the bottom line, but our development direction is definitely in the right direction.
