Vector (21)


Pulling the Thread on Crypto Rug Pulls

By Nick Smart, Director of Blockchain Intelligence 

February 1, 2022

What should you look for when assessing the legitimacy of a new crypto project? 

NOTE: This article does not constitute specific investment advice and is provided as general guidance only.  

While there has been a noticeable increase in fraud affecting Decentralized Finance (DeFi), often referred to as a ‘Rug Pull’, for many who have spent time watching cryptocurrency travel from obscurity to ubiquity, these scam-types are nothing new under the sun. Initial Coin Offering (ICO) fraudulent schemes were very much in vogue back in 2017; this trend is simply an evolution of a tried and tested scheme using new and more complicated tools. 

How does a rug pull work? Fundamentally, these fraudulent activities involve enticing participants to stake something valuable, be it crypto or even fiat money (government-issued currency), inflating the price of the asset through marketing, or by attracting more investment, then exiting with the victim’s staked assets and leaving the holders with a worthless token to hold instead – in some cases, even without a token at all.   

What has changed is the increased media coverage and the much more mainstream media attention on these illegal schemes, which broadly is in line with a greater public interest in cryptocurrency and blockchain. We should reflect on this positively, but with much caution – we want our industry to prosper, not be accused of being a sink for dirty money or fraud. 

Case Study: The Toxic World of Uranium Finance 

Uranium Finance, a Binance Smart Chain decentralized finance project, was  exploited during a migration of its protocol in April 2021, losing investors $50 million USD worth of staked BTC, ETH, BUSD, USDT, BNB, DOT, and ADA. The project had been marketed as an automated market maker protocol fork from Uniswap, describing itself as ‘the daily dividends AMM’ on its  website (archive copy). 

Figure 1 – ETH taken from Uranium Finance to a Mixing Service (image taken from Crystal Blockchain’s proprietary data) 

Despite claims made by the Uranium Finance development team to the contrary in a  blog post they wrote after the event, foul play was suspected as the lost funds were transferred to a mixing service; then the project’s GitHub was removed, though its  page remains, and its site was also  taken down.  Many of the allegations made center on the simplicity of the code flaw; irrespective of the veracity of these claims, it does serve to highlight the potential risks with many cryptocurrency projects. 

Hype Merchants 

As an industry, we must appreciate that there is a lot of hyperbole around our blockchain projects, as we are enthusiastic and passionate as a community.  Passion and innovation are generally a good thing – but along with this enthusiastic community comes the other side, the bad actors, the individuals with malicious intent, who seek to exploit newcomers, the less technical, and those desperate to get involved in “get-rich-quick” schemes.   

It is unreasonable to ask most people to do a smart contract source code review; even in cases where the project has a code audit (the project audit only applies to the version of the project that the audit was performed on – which may since have since been overtaken by different code).  But, while it is usual for us to expect the apps on our laptops or smart phones to update frequently and automatically, and generally we don’t care about ‘bug fixes’, what if our entire banking system (not the applications, or software it runs on, but the entire system) changed with so much frequency, and without any control measures? 

With blockchain projects – that involve our funds – we are often left to place our trust in the hands of a development team who may not identify themselves; carefully manicured press releases and whitepapers extolling the virtues of a project and how it can be the ‘next big thing’, without any set of procedures for presenting the project with all its due diligences. 

What can we do to circumvent potential scams and identify legitimate investment projects? 

Learn the Fundamentals 

Most blockchain projects are complicated, technical affairs that require a deeper level of knowledge on the part of those involved to understand what is going on – something that can be beyond some investors who don’t have that technical background.  However, having a basic grasp of the key concepts around blockchain technology, such as the difference between proof-of-work and proof-of-stake, will pay dividends.  You should also ensure to look for sources independent of the project you’re looking at that explain the technology 

YouTube is great for an initial understanding, but make sure to research the concepts independently in case there is a commercial bias involved.  Some good resources are: 

  1. 99bitcoins 
  2. Simply Explained 
  3. Blockchain: The Good, The Bad and How to tell The Difference | Julia Evelyn Larsen  
  4. How Smart Contracts Will Change the World | Olga Mack  

Once you have an idea of the basic concepts, seeking out more technical explanations and hands-on examples of the underlying code, such as  Solidity for smart contracts, will go a long way to demystifying what the developers are talking about.  You don’t need to become a professional developer: just know enough to understand what the components do independent of the person who makes it.   

Consider this; you’d not buy a used car without taking it on a test drive first, checking for rust, and looking for leaks even if you’re not a mechanical engineer. If the project wants your hard-earned cash, why wouldn’t you learn how to check things are technically correct first? 

Navigating the Roadmap 

Most crypto projects will be delivered with a whitepaper, or roadmap showing the plans for the project.  This is your chance to see what the company stakeholders want to tell the world about their project and how it will function, make a return, and at what stages milestones (new products, accreditation, or new hires, for example) should be delivered. 

Here are a few things to watch out for with whitepapers and roadmaps: 

1. Who’s involved?  

Does the blockchain project list the key people involved, by name, with references such as LinkedIn or GitHub pages? Try reverse image searching the profile pictures and doing some research on the people involved; if the pictures are from stock image libraries and the only media you can find on the team is press releases about the current project they’re working on, maybe you should think twice before giving them your money. 

    2. What’s in the whitepaper? 

What’s the whitepaper or one-pager like, if there is one? If there isn’t, maybe that’s a bad sign.  If there is a whitepaper, some very simple questions you should ask: 

  • How long is it?   
  • Is it well written, correctly spelled, and formatted?  
  • It should be a technical document, researched, formatted and detailed, showing the team is committed to what they are doing. 

If this sounds harsh on time-strapped developers, it may well be, but at the end of the day it’s your money at stake: the project needs to respect that you deserve information.    

       3. What’s the (real) value proposition? 

Next, what are they spending the money on?  If it’s mostly marketing or salaries that your investment is being put into, then perhaps you should reconsider the investment. 

Is the objective of the crypto project, and the documents that support it a reasonable proposition?  If the team states they intend to take 100% of a traditional credit processing companies market share in 12 months, replacing the leading cryptocurrencies in the next six months, maybe there should be some caution on your part. Though the entire industry is filled with exciting, overnight success stories, they are often the exception, not the rule. 

Beware projects seeking to capitalize on a brand, trend, or other social elements; the infamous  Squid Game Token sought to use the popular eponymous Korea drama to generate interest in the project, before apparently taking the funds staked by those unsuspecting people who bought into it.    

4. Even when you’ve done all your research…

As in more traditional (TradFi) opportunities, there are often occasions where everything just seems right. Some frauds are incredibly sophisticated and work hard to appear legitimate – slick websites, real people, proper documentation.  Perhaps the most important caution, as is said to many an investor – be prepared to lose all of what you stake.  

Bottom line: don’t invest what you can’t afford to lose. 

Mind Your Language 

A call to action for the cryptocurrency and digital asset community: we are excited to be at the forefront of a huge shift in finance, and that no doubt comes with a level of enthusiasm and will to evangelize and extoll our industry. But we need to protect newcomers and build trust with institutions, by bringing them along rather than leaving them behind.   

Let’s adjust our tone as a community and lead the way, rather than shout down our critics. 

Have you got questions about the legitimacy of a current blockchain, cryptocurrency, DeFi, or NFT project? Get in touch at [email protected]  

Similar news...

Regulatory Update

by Mariam Giorgadze, Crystal Regulatory & Compliance Team

September 5, 2023

MONEYVAL’s 2023 Report Exposes AML Risks in Virtual Assets

80% of assessed members demonstrated only partial or non-compliance  On 6 July 2023, the Committee...

Read more

September 5, 2023

Regulatory Update

by Mariam Giorgadze, Crystal Regulatory & Compliance Team

August 25, 2023

FCA mandates “Travel Rule” for crypto firms from first September

FCA Sets New Guidelines for UK Crypto-Asset Businesses On 17 August 2023, the Financial Conduct...

Read more

August 25, 2023

Regulatory Update

by Mariam Giorgadze, Crystal Regulatory & Compliance Team

August 14, 2023

ESMA Releases First Crypto Consultation on MiCA

ESMA calls for feedback on MiCA    In July 2023, the European Securities and Markets Authority...

Read more

August 14, 2023