How to spot potential rug pulls in DeFi

If you’re a DeFi investor, one of the most painful feelings in the world is going through what’s known as a “rug pull,” which usually involves a project’s developers abandoning the project and running away with their funds. It can happen in a number of ways, for example, when a developer initiates initial liquidity, drives up the price, and then withdraws liquidity, preventing holders from exiting their positions. Another common method is to launch a website but shut it down after attracting hundreds of thousands of deposits.

According to Ciphertrace data, in the second half of 2020, nearly 99% of major fraud and misappropriation of funds were caused by DeFi protocols that executed rug pulls and exit scams.

Notable examples of DeFi rug pulls in 2020 include: Lv.FinanceEmerald MineYfdexf.FinanceSharkTronUnicatsCompounder.Finance

We have been scammed twice in our investing history and we totally understand how it feels to have your hard earned money stolen by scammers.

In this post, we try to help you navigate DeFi and potentially spot signs of a rug pull.

Unverified smart contract code

Smart contracts are usually open to anyone to verify, so that the public can see how the code functions, and audit any suspicious functions.

Deploying unverified code to the blockchain means that no one can see what is written in the code. Malicious actors can execute malicious code at any time and transfer funds locked in smart contracts to other addresses without your permission.

Rushed development and rollout of examples of unverified contracts

Most legitimate projects take months to plan, promote and launch. If you find evidence that a project is being developed and launched hastily, it should be brought to immediate attention.

For example, many Uniswap clone projects simply fork the Uniswap code base and make rapid changes to the front-end interface while leaving a lot of unfinished work. These are all signs of a potential rug.

In the case of Wineswap defrauding a user of $344,000, the developer didn’t bother changing the name of the token in the contract and just used Sushiswap’s.

For example, many forked projects don't offer any unique benefits or features, instead they just take simple UI tweaks to popular projects and repackage themselves as a legitimate project, making them highly likely to perform rug-pulls .

WaveSwap, a front-end fake social media campaign similar to Pancakeswap

Social media activity can be faked through bots and automated software. These automated bots can like, retweet, comment, and share posts at scale while participating in airdrop campaigns.

Examples of fake social media accounts may seem obvious, with little to no activity other than liking or retweeting promoted posts and content.

possible bot account

When approaching a DeFi protocol, check its social media accounts - Twitter, Telegram, Discord for bot activity. Are users and participants legitimate, or are they bots masquerading as users?

Unaudited or audited by an unknown audit firm

As DeFi protocols are interconnected with the rest of DeFi and may hold millions or billions of dollars in customer funds, audits play a key role in giving a second opinion on the quality of smart contracts. However, auditing is not foolproof and many protocols have been hacked despite being audited by reputable companies.

The first layer of security is to have the smart contract audited by a reputable auditing company. In our opinion, reputable audit firms include PeckShield, Trail of Bits, Quantstamp and Slowmist.

Auditing firms will review the project's codebase and, depending on their severity, uncover issues that may need to be fixed. After the audit, the audit report can be published.

Audit example for checking code

Relying on less reputable auditing firms can pose significant risk to user funds, as they may lower the quality of their audits, or may not have significant experience auditing complex smart contracts. Some projects may employ multiple auditors to audit the smart contract code to determine the trustworthiness of the protocol.

Using a third-party review platform like DeFi Safety can also help alleviate concerns about multiple factors such as code quality, teams, testing procedures, security procedures, and access controls.

DeFi Safety

No timelocks or multi-signatures

Smart contracts can often be upgraded, or have functions called by an administrator, usually the address where the contract is deployed.

These functions can include creating new liquidity pools or changing protocol parameters such as withdrawal fees in the case of AMMs.

A timelock is typically a piece of code that queues smart contract changes behind time-based escrow, essentially locking the functionality of the smart contract until a pre-defined period of time has passed. For example, if the contract has a timelock of 48 hours, then any changes made through the smart contract must be queued and can only be executed after 48 hours.

Timelocks give users enough time to react to smart contract changes, and if they object to a particular change, they can withdraw funds from the protocol before the change is executed.

Pancakeswap uses a 6-hour timelock to give users some time to react to protocol changes.

Without a timelock, a smart contract administrator or governance could submit a malicious transaction in no time and break the entire protocol. Some projects may use multisig instead of timelocks to enforce changes to the protocol. In the case of multisig, where multiple signatures are required for a transaction to execute, the transaction may be set to be authorized by a majority of signers before being sent on-chain.

Many protocols use multisig to control parameters. For example, Curve is a co-signer of yEarn Finance’s governance multisig, which manages the minting of new YFI tokens. If a project does not have these conditions then please be extremely cautious as the developer has full control over your deposits and can withdraw or transfer them at will.

There are many ways a new project can scam you out of your funds, and the above methods are by no means the only way to protect your hard-earned money.

In fact, if something seems too good to be true for you, or feels intuitively suspicious, avoid it. There's no reason to risk all your capital just to be greedy for a few extra dollars.

DeFi can be a dangerous space because it’s an unregulated space with many malicious actors trying to trick you every step of the way — from social engineering to trying to get you to hand over your seed phrase.

Editor's note: The original title is "How to spot a potential rug pull in DeFi", the title of this article has been modified according to the readability of the communication channel; Author: Stakingbits​

Source: medium

Disclaimer: Cointelegraph Chinese is a blockchain news information platform, and the information provided only represents the author's personal opinion, which has nothing to do with the position of the Cointelegraph Chinese platform, and does not constitute any investment and financial advice. Readers are requested to establish correct currency concepts and investment concepts, and earnestly raise risk awareness.