In-depth Investigation of Rug Pull Cases, Unveiling the Chaos in the Ethereum Token Ecosystem

Introduction

In the Web3 world, new tokens are constantly emerging. Have you ever wondered how many new tokens are issued every day? Are these new tokens safe?

These questions did not arise without reason. In recent months, the security team has captured a large number of Rug Pull transaction cases. It is worth noting that the tokens involved in these cases are all newly launched tokens that have just gone on-chain.

Subsequently, the security team conducted an in-depth investigation into these Rug Pull cases and discovered the existence of organized criminal groups behind them, summarizing the patterned characteristics of these scams. Through a thorough analysis of the methods employed by these groups, a possible scam promotion channel for Rug Pull gangs was identified: Telegram groups. These gangs utilize the "New Token Tracer" feature in certain groups to attract users to purchase scam tokens and ultimately profit through Rug Pulls.

Statistics show that from November 2023 to early August 2024, these Telegram groups pushed a total of 93,930 new Tokens, among which 46,526 were involved in Rug Pulls, accounting for as high as 49.53%. According to statistics, the cumulative investment cost of the gangs behind these Rug Pull Tokens was 149,813.72 Ether, profiting 282,699.96 Ether at a return rate as high as 188.7%, equivalent to about 800 million USD.

To assess the proportion of new tokens pushed through Telegram groups on the Ethereum mainnet, the security team compiled data on new tokens issued on the Ethereum mainnet during the same period. The data shows that a total of 100,260 new tokens were issued during this time, with tokens pushed through Telegram groups accounting for 89.99% of the mainnet. On average, approximately 370 new tokens are born every day, far exceeding reasonable expectations. After continuous in-depth investigations, the discovered truth is unsettling—at least 48,265 tokens are involved in Rug Pull scams, accounting for as much as 48.14%. In other words, nearly one in every two new tokens on the Ethereum mainnet is involved in scams.

In addition, more Rug Pull cases have been discovered in other blockchain networks. This means that not only the Ethereum mainnet, but the overall security situation of the newly issued Token ecosystem in Web3 is far more severe than expected. Therefore, this report aims to help all Web3 members raise their awareness of prevention, remain vigilant in the face of the endless scams, and take necessary preventive measures in a timely manner to protect the safety of their assets.

ERC-20 Token

Before officially starting this report, let's first understand some basic concepts.

ERC-20 tokens are currently one of the most common token standards on the blockchain. It defines a set of specifications that allow tokens to interoperate between different smart contracts and decentralized applications (dApps). The ERC-20 standard specifies the basic functions of tokens, such as transferring, querying balances, and authorizing third parties to manage tokens. Due to this standardized protocol, developers can more easily issue and manage tokens, thus simplifying the creation and use of tokens. In fact, any individual or organization can issue their own tokens based on the ERC-20 standard and raise startup funds for various financial projects through token presales. Because of the widespread application of ERC-20 tokens, it has become the foundation for many ICOs and decentralized finance projects.

The USDT, PEPE, and DOGE that we are familiar with are all ERC-20 tokens, which users can purchase through decentralized exchanges. However, certain scam groups may also issue malicious ERC-20 tokens with code backdoors, list them on decentralized exchanges, and then lure users into making purchases.

Typical Scam Cases of Rug Pull Tokens

Here, we borrow a case of a Rug Pull token scam to gain an in-depth understanding of the operational model of malicious token scams. First, it should be noted that a Rug Pull refers to a fraudulent act where the project team suddenly withdraws funds or abandons the project in decentralized finance projects, resulting in significant losses for investors. Rug Pull tokens, on the other hand, are tokens specifically issued to carry out such fraudulent activities.

The Rug Pull Tokens mentioned in this article are sometimes also referred to as "Honey Pot Tokens" or "Exit Scam Tokens", but in the following text, we will uniformly refer to them as Rug Pull Tokens.

case

The attacker (Rug Pull gang) deployed the TOMMI Token using the Deployer address, then created a liquidity pool with 1.5 ETH and 100,000,000 TOMMI, actively purchasing TOMMI tokens through other addresses to fake the liquidity pool trading volume to attract users and new token listing bots to buy TOMMI tokens. Once a certain number of new listing bots have been deceived, the attacker uses the Rug Puller address to execute the Rug Pull, with the Rug Puller dumping 38,739,354 TOMMI tokens into the liquidity pool, exchanging for approximately 3.95 ETH. The tokens of the Rug Puller come from the malicious approve authorization of the TOMMI token contract, which grants the Rug Puller approve permissions for the liquidity pool upon deployment, allowing the Rug Puller to directly withdraw TOMMI tokens from the liquidity pool and then perform the Rug Pull.

Rug Pull process

1. Prepare attack funds.

The attacker funded the Token Deployer with 2.47309009 Ether through a certain exchange as the initial capital for the Rug Pull.

2. Deploy Rug Pull tokens with backdoors.

The Deployer created the TOMMI Token, pre-mining 100,000,000 Tokens and allocating them to itself.

3. Create the initial liquidity pool.

The deployer used 1.5 Ether and all pre-mined tokens to create a liquidity pool, obtaining approximately 0.387 LP tokens.

4. Destroy all pre-mined Token supply.

The Token Deployer sends all LP Tokens to the 0 address for destruction. Since the TOMMI contract does not have a Mint function, the Token Deployer has theoretically lost the ability to execute a Rug Pull at this point. (This is also one of the necessary conditions to attract new token bots. Some new token bots will assess whether the newly added tokens have Rug Pull risks. The Deployer also sets the contract Owner to the 0 address to deceive the anti-fraud program of the new token bots.)

5. Falsified trading volume.

Attackers actively purchased TOMMI tokens from the liquidity pool using multiple addresses, inflating the trading volume of the pool, which further attracted new trading bots to enter the market (the basis for determining that these addresses are disguised by the attackers: the funds of the related addresses come from the historical fund transfer addresses of the Rug Pull gang).

6. The attacker initiated a Rug Pull through the Rug Puller address, directly transferring 38,739,354 Tokens from the liquidity pool via a backdoor in the token, and then used these tokens to crash the pool, extracting approximately 3.95 Ether.

7. The attacker sends the funds obtained from the Rug Pull to the intermediary address.

8. The transit address sends funds to the fund retention address. From this, we can see that after the Rug Pull is completed, the Rug Puller will send the funds to a certain fund retention address. The fund retention address is where the funds from a large number of monitored Rug Pull cases are aggregated. The fund retention address will split most of the received funds to initiate a new round of Rug Pull, while a small portion of the funds will be withdrawn via a certain exchange.

Rug Pull backdoor code

Although the attackers have tried to prove to the outside world that they cannot perform a Rug Pull by destroying LP Tokens, in reality, they have left a malicious approve backdoor in the openTrading function of the TOMMI Token contract. This backdoor allows the liquidity pool to approve the transfer of tokens to the Rug Puller address when creating the liquidity pool, enabling the Rug Puller address to directly withdraw tokens from the liquidity pool.

Mode of operation

By analyzing the TOMMI case, we can summarize the following four characteristics:

1. The Deployer obtains funds through a certain exchange: The attacker first provides a source of funds for the Deployer's address through a certain exchange.

2. The deployer creates a liquidity pool and destroys LP tokens: After creating the Rug Pull token, the deployer will immediately create a liquidity pool for it and destroy LP tokens to increase the project's credibility and attract more investors.

3. Rug Puller exchanges a large amount of Tokens for ETH in the liquidity pool: The Rug Pull address (Rug Puller) uses a large amount of Tokens (often far exceeding the total supply of Tokens) to exchange for ETH in the liquidity pool. In other cases, the Rug Puller also obtains ETH from the pool by removing liquidity.

4. Rug Puller transfers the ETH obtained from the Rug Pull to the fund retention address: The Rug Puller will transfer the acquired ETH to the fund retention address, sometimes using an intermediary address for transition.

The characteristics mentioned above are commonly found in captured cases, indicating that Rug Pull behavior has distinct patterned features. Furthermore, after completing a Rug Pull, funds are often pooled into a retention address, suggesting that these seemingly independent Rug Pull cases may involve the same group or even the same scam syndicate.

Based on these characteristics, a behavior pattern of Rug Pull has been extracted, and this pattern has been used to scan detected cases, with the aim of constructing a possible profile of the scam group.

Rug Pull Criminal Group

mining fund reserve address

As mentioned earlier, Rug Pull cases usually end with funds being consolidated into a retention address. Based on this model, several highly active retention addresses with distinct characteristics associated with their modus operandi were selected for in-depth analysis.

There are a total of 7 fund retention addresses that have come into view, which are associated with 1,124 Rug Pull cases successfully captured by the on-chain attack monitoring system. After successfully carrying out the scam, the Rug Pull gang consolidates the illegal profits into these fund retention addresses. These fund retention addresses then split the retained funds to create new tokens and manipulate liquidity pools for future Rug Pull scams. In addition, a small portion of the retained funds is cashed out through certain exchanges or flash exchange platforms.

In a complete Rug Pull scam, the Rug Pull gang typically uses one address as the deployer of the Rug Pull token and withdraws startup funds through an exchange to create the Rug Pull token and the corresponding liquidity pool. Once a sufficient number of users or new bot investors use ETH to purchase the Rug Pull token, the Rug Pull gang will use another address as the Rug Puller to operate, transferring the obtained funds to a reserve address.

It should be noted that Rug Pull gangs, when executing scams, will also actively use ETH to purchase the Rug Pull tokens they created, in order to simulate normal liquidity pool activities, thereby attracting new bot buyers. However, this part of the cost is not included in the calculation, so the actual profit will be relatively low.

In fact, even if the final funds are aggregated into different fund retention addresses, there is still a high suspicion that these fund retention addresses may belong to the same group due to the numerous commonalities between the cases associated with these addresses (such as the implementation methods of Rug Pull backdoors, cash-out paths, etc.).

Mining fund retention address association

An important indicator to determine whether there is a correlation between fund retention addresses is to check whether there are direct transfer relationships between these addresses. To verify the correlation between fund retention addresses, historical transaction records of these addresses were crawled and analyzed.

In most cases analyzed in the past, the profits from each Rug Pull scam ultimately flow to a specific fund retention address. It is impossible to associate different fund retention addresses by tracking the flow of profit funds. Therefore, it is necessary to detect the flow of funds between these fund retention addresses in order to obtain a direct association between them.

It should be noted that certain addresses are for fund retention.