TenArmor and GoPlus boast powerful rug pull detection systems. Recently, the two joined forces to conduct in-depth risk analysis and case studies in response to the increasing severity of rug pull incidents. Their research unveiled the latest techniques and trends in rug pull attacks and provided users with effective security recommendations.

Rugpull Incident Statistics​

TenArmor’s detection system identifies numerous Rugpull incidents every day. Looking back at the data from the past month, Rugpull incidents have been on the rise, particularly on November 14th, when the number reached a staggering 31 in a single day. We believes it’s necessary to bring this phenomenon to the community’s attention.

Most of the losses from these Rugpull incidents fall within the $0 — $100K range, with cumulative losses reaching $15 million.

The most typical type of Rugpull in the Web3 space is the honeypot token (known as “貔貅盘” in Chinese). GoPlus’ Token Security Detection Tool can identify whether a token falls into this category. Over the past month, GoPlus has detected 5,688 such tokens. For more security-related data, visit GoPlus’ public data dashboard on Dune.

TL;DR​

Based on the characteristics of recent Rugpull incidents, we have summarized the following preventive measures:

1. Do not follow blindly: When buying popular tokens, verify if the token address is legitimate to avoid purchasing counterfeit tokens and falling into scam traps.
2. Conduct due diligence during new token launches: Check if initial traffic comes from addresses related to the contract deployer. If it does, this could indicate a potential scam, so it’s best to avoid it.
3. Review the contract source code: Pay special attention to the implementation of the transfer/transferFrom functions to ensure that buying and selling can occur normally. If the code is obfuscated, avoid the project.
4. Analyze the distribution of holders: If there is an obvious concentration of funds among holders, it’s best to stay away from the project.
5. Trace the funding source of the contract deployer: Try to trace back up to 10 hops to check if the contract deployer’s funds originate from any suspicious exchanges.
6. Follow TenArmor’s alert updates: React promptly to minimize losses. TenArmor has the ability to detect Scam Tokens in advance, so following TenArmor’s X (formerly Twitter) account can provide timely alerts.
7. Utilize the TenTrace system: TenTrace has accumulated address data for Scam/Phishing/Exploit incidents from multiple platforms, enabling effective identification of blacklisted address fund movements. TenArmor is committed to improving the security of the community, and we welcome any partners in need of assistance to reach out for collaboration.

Characteristics of Recent Rugpull Incidents​

Through analyzing numerous Rugpull incidents, we have identified the following characteristics of recent Rugpull events.

Imitating Popular Tokens​

Since November 1st, the TenArmor detection system has identified five cases of Rugpull incidents involving fake PNUT tokens. According to this tweet, PNUT began operating on November 1st and saw a remarkable 161-fold surge within just seven days, successfully attracting investors’ attention. The timeline of PNUT’s launch and surge coincides closely with when scammers began impersonating PNUT. By impersonating PNUT, scammers aimed to lure in uninformed investors.

The total fraudulent amount from the fake PNUT Rugpull incidents reached $103.1K. TenArmor urges users not to follow trends blindly; when purchasing popular tokens, always verify whether the token address is legitimate.

Targeting Front-Running Bots​

The issuance of new tokens or projects often generates considerable market attention. During the initial release, token prices can fluctuate wildly — even prices within seconds can vary significantly. Speed becomes crucial for maximizing profit, making trading bots a popular tool for front-running new tokens.

However, scammers are also quick to notice the abundance of front-running bots and set traps accordingly. For instance, the address 0xC757349c0787F087b4a2565Cd49318af2DE0d0d7 has carried out over 200 fraudulent incidents since October 2024. Each scam was completed within hours, from deploying the trap contract to executing the Rugpull.

Take the most recent scam incident initiated by this address as an example. The scammer first used 0xCd93 to create the FLIGHT token and then established the FLIGHT/ETH trading pair.

After the trading pair was created, numerous Banana Gun front-running bots rushed in to make small-value token swaps. Upon analysis, it was clear that these bots were actually controlled by the scammer to generate artificial trading volume.

Approximately 50 small-value trades were executed to create the illusion of traffic, which then attracted real investors — many of whom used the Banana Gun front-running bots for their trades.

After a period of trading activity, the scammer deployed a contract for executing the Rugpull. The funds for this contract came from the 0xC757 address. Just 1 hour and 42 minutes after deploying the contract, the scammer drained the liquidity pool in a single stroke, making a profit of 27 ETH.

By analyzing the scammer’s tactics, it’s evident that they first used small-value trades to fabricate traffic, attracted front-running bots, and then deployed a Rug contract, pulling the plug once their profits reached a desired level.

TenArmor believes that although front-running bots make buying new tokens convenient and fast, one must also be cautious of scammers. Conduct thorough due diligence, and if the initial volume seems to come from addresses related to the contract deployer, it is best to avoid the project.

Hidden Tricks in Source Code​

Transaction Tax​

The following code shows the implementation of the FLIGHT token transfer function. It is evident that this implementation differs significantly from the standard one. Each transfer decision involves determining whether or not to apply a tax based on current conditions. This transaction tax limits both buying and selling, making it highly likely that this token is a scam.

In cases like this, users can simply check the token’s source code to identify potential issues and avoid falling into traps.

Code Obfuscation​

In TenArmor’s article, Review of New and Major Rug Pull Events: How Investors and Users Should Respond, it is mentioned that some scammers deliberately obfuscate the source code to make it less readable and conceal their true intentions. When encountering such obfuscated code, it is best to avoid it immediately.

Openly Malicious rugApproved​

Among the numerous Rugpull incidents detected by TenArmor, there are cases where scammers are blatantly obvious about their intentions. For example, this transaction explicitly states its intention.

Typically, there is a time window between when the scammer deploys the contract used for the Rugpull and when the Rugpull is executed. In this particular case, the time window is almost three hours. To prevent such types of scams, you can follow TenArmor’s X account. We will promptly send alerts about the deployment of such risky contracts, reminding users to withdraw their investments in time.

In addition, functions like rescueEth/recoverStuckETH are commonly used in Rugpull contracts. Of course, the existence of such functions does not necessarily mean it is a Rugpull; it still requires considering other indicators for confirmation.

Concentration of Holders​

In recent Rugpull incidents detected by TenArmor, the distribution of holders has shown distinct characteristics. We randomly selected three Rugpull incidents to analyze the holder distribution of the involved tokens. The results are as follows.

0x5b226bdc6b625910961bdaa72befa059be829dbf5d4470adabd7e3108a32cc1a

0x9841cba0af59a9622df4c0e95f68a369f32fbdf6cabc73757e7e1d2762e37115

0x8339e5ff85402f24f35ccf3b7b32221c408680421f34e1be1007c0de31b95f23

In these 3 cases, it is easy to observe that the Uniswap V2 pair is the largest holder, holding an overwhelming majority of the tokens. TenArmor advises users that if a token’s holders are largely concentrated in a single address, such as a Uniswap V2 pair, it is highly likely that the token is a scam.

Source of Funds​

We randomly selected 3 Rugpull incidents detected by TenArmor to analyze their sources of funds.

Case 1​

tx: 0x0f4b9eea1dd24f1230f9d388422cfccf65f45cf79807805504417c11cf12a291

After tracing 6 hops back, we found an inflow of funds from FixedFloat.

FixedFloat is an automated cryptocurrency exchange that does not require user registration or “Know Your Customer” (KYC) verification. Scammers choose to source funds from FixedFloat to conceal their identities.

Case 2​

tx: 0x52b6ddf2f57f2c4f0bd4cc7d3d3b4196d316d5e0a4fb749ed29e53e874e36725

After tracing 5 hops back, we identified an inflow of funds from MEXC 1.

On March 15, 2024, the Hong Kong Securities and Futures Commission (SFC) issued a warning regarding the MEXC platform. The article mentioned that MEXC had been actively promoting its services to Hong Kong investors without acquiring a license from the SFC or applying for one. On March 15, 2024, the SFC included MEXC and its website on the list of suspicious virtual asset trading platforms.

Case 3​

tx: 0x8339e5ff85402f24f35ccf3b7b32221c408680421f34e1be1007c0de31b95f23

After tracing 5 hops back, we found an inflow of founds from Disperse.app.

Disperse.app is uesed to distribute ether or tokens to multiple addresses.

Analysis of the transaction revealed that the caller of Disperse.app in this case was 0x511E04C8f3F88541d0D7DFB662d71790A419a039. Tracing back 2 hops, we also found an inflow of funds from Disperse.app.

Further analysis showed that the caller of Disperse.app in this case was 0x97e8B942e91275E0f9a841962865cE0B889F83ac. Tracing back 2 hops, we identified an inflow of funds from MEXC 1.

From the analysis of these 3 cases, it is evident that the scammers used exchanges without KYC requirements and unlicensed exchanges to fund their activities. TenArmor reminds users that when investing in new tokens, it is crucial to verify whether the contract deployer’s source of funds comes from suspicious exchanges.

Prevention Methods​

Based on the combined datasets from TenArmor and GoPlus, this article provides a comprehensive overview of the technical characteristics of Rugpulls and presents representative cases. In response to these Rugpull characteristics, we have summarized the following preventive measures.

1. Do not follow trends blindly: When buying popular tokens, verify whether the token address is legitimate. This helps prevent purchasing counterfeit tokens and falling into scam traps.
2. Conduct thorough due diligence during new token launches: Check if initial traffic comes from addresses related to the contract deployer. If it does, it might indicate a scam trap, so it’s best to avoid it.
3. Review the contract source code: Pay special attention to the implementation of the transfer/transferFrom functions to ensure that buying and selling can occur normally. Avoid projects with obfuscated source code.
4. Analyze the holder distribution before investing: If the holders are concentrated heavily in a specific address, it’s advisable to avoid that token.
5. Verify the contract deployer’s source of funds: Trace back up to 10 hops to determine whether the contract deployer’s funds originate from suspicious exchanges.
6. Follow TenArmor’s alert updates to minimize losses: TenArmor has the capability to detect Scam Tokens in advance. Follow TenArmor’s X (formerly Twitter) account for timely alerts.

The malicious addresses involved in these Rugpull incidents are integrated into the TenTrace system in real time. TenTrace is an Anti-Money Laundering (AML) system developed independently by TenArmor, designed for multiple use cases, including anti-money laundering, anti-fraud, and attacker identification tracking. TenTrace has accumulated address data from multiple platforms related to Scam/Phishing/Exploit, effectively identifying fund inflows to blacklisted addresses and accurately monitoring outflows from these addresses. TenArmor is committed to improving the security of the community and welcomes partners interested in collaboration.

About TenArmor

TenArmor is your first line of defense in the Web3 world. We provide advanced security solutions that address the unique challenges of blockchain technology. With our innovative products, ArgusAlert and VulcanShield, we ensure real-time protection and rapid response to potential threats. Our team of experts specializes in everything from smart contract auditing to cryptocurrency tracing, making TenArmor the go-to partner for any organization looking to secure its digital presence in the decentralized space.

Disclaimer:

1. This article is reprinted from [medium]. All copyrights belong to the original author [GoPlus Security]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.