The decentralized finance sector has introduced many never-before-seen concepts into the world of Web3. Decentralized lending protocols, decentralized stablecoins, “produce farming” modules and on-chain prediction markets have made basic financial operations more intuitive and resource efficient.
Meanwhile, for defectors, the DeFi segment is central to cynical attack designs. DeFi protocols can be ruined by “flash-loan” attacks, their users often falling prey to phishing and impersonation scams. However, the “rag pull” attack remains the most dangerous and mainstream malicious activity in the DeFi segment since the beginning of 2020.
What is Rag Bridge: Crypto Protocol Under Fire
To understand what a bridge in crypto is, we need to imagine a person standing on a rug. Someone unexpectedly pulls it off, and the victim loses balance and falls.
Rig bridges in crypto: two ways to lose money
It looks like a bridgehead: DeFi Mastermind swiftly removes all users’ liquidity from the protocol, giving investors worthless tokens. At its core, every rug can affect its victims in two ways.
#ragpulls Peckshield has discovered #bnb42 Is harsh: Employer withdraws over 6,400 BNB (~$2.7m) from an unverified contract.
— PeckShieldAlert (@PeckShieldAlert) February 15, 2022
Initially the rough funds were placed at 0x9b74fde50f3fcd3a02fafea6a187092630d6eb8f and then split into 8 addresses. pic.twitter.com/iXbkifaA5E
First, when the “rug is pulled,” investors transfer their assets to the attackers’ accounts, with no chance of getting it back. Then, once the crypto community notices that this or that protocol has pulled the rug, its native cryptocurrency could lose 90% of its value in no time. As such, investors see the value of their bags falling to zero.
How To Do Rag Pull Crypto: The Basics
In order to make “rig bridges” possible, a DeFi team must “hard-code” specific features into the codebase. For example, it should allow all liquidity to be transferred to a particular account. Then, the team can replace the address in charge of the funds with a malicious address: this makes it possible to pull a rug even for audited protocols.
Once the liquidity is stolen (permanently transferred to the mailfactors’ accounts), hackers need to capitalize on it. Typically, they send funds to crypto mixing ecosystems like Tornado Cash.
It allows hackers to sell stolen crypto through crypto-to-fiat exchanges; Without the Whirlwind-based objection, the crypto trading platform now rapidly blacklists the addresses of attackers. On leading searchers, all addresses included in the rig bridge are labeled minutes after the first announcement about the scam’s popularity on crypto Twitter.
Pulls the Worst Rug in Crypto
As the rig pull industry has grown hand in hand with the popularity of the DeFi segment, in the years 2021-2022, some of them have ended in the eight-digit scam. As such, they are challenging the CEX hack as the most dangerous type of attack in Web3.
Scam Name: Meerkat Finance
Token: MKAT
Blockchain: Binance Smart Chain
Net loss: $32 million
In March 2021, BSC-based produce farming protocol Meerkat Finance (MKAT), a team from Alpaca Finance (ALPACA), fled with 14 million Binance USD (BUSD) and 73,635 Binance Coins (BNB).
The protocol disappeared during its first day in the mainnet; However, some of its investors managed to infuse six-figure sums into its liquidity pool.
Scam Name: Snowdog DAO
Token: SDOG
Blockchain: Avalanche
Net loss: $10 million
SnowdogDAO promoted itself as the largest “game theory” experiment on the high-performance smart contract platform Avalanche (AVX). Its exploitation scenario was sophisticated: someone who had a unique key was the only actor who was able to sell SDOG at a reasonable price.
Others found that their SDOG investment value dropped to zero after an orchestrated sell-off initiated by the rag pull mastermind.
Scam Name: Squid Games
token: squid
Blockchain: Binance Smart Chain
Net loss: $3 million
Inspired by the popular TV show about the dystopian world, Squid Game Token appears to be a “honeypot scam”, a profitable rug pull scenario for attackers.
At some stage, developers turned off the ability for SQUID holders to sell their tokens; Only retail users were able to purchase the new tokens. Once it was exposed, the price of SQUID dropped from around $3,000 to zero.
How to Find Rag Pull: The Basics
To identify a crypto bridge with 100% confidence, a blockchain user must read the code, i.e. have advanced Solidity, Rust or Haskell skills. However, U.Today summarizes several rug pull signs that can be registered by newbies as well.
greed is the worst enemy
All the protocols targeted by “Rig Pull” are used to guarantee incredibly high returns. First, they teased thousands of percent in APY: Recent Titano Finance scam protocol Offered To triple any deposit amount in 10 days.
Then, all teams in such a protocol guarantee rewards regardless of market conditions, the price of Ether and BNB, audience dynamics, etc. Both “super-high” and “guaranteed” APY are obvious red flags.
Many secrets hide many scams
Typically, there is little or no information about the teams, designs, and past performance of “rug-pulled” protocols. The empty GitHub repository, a Twitter account with no comments and re-tweets, a medium “blog” with three articles, and a landing page with an “investment” address is a “rug bridge” starter pack.
There was no real product of any “rug-pulled” DeFis: a payment system, a lending/lending module, stablecoins and so on. In such a situation, investors should thoroughly research the project before investing in it.
Stay up to date on crypto security
Lastly, information about potential rug bridges can be found on the Twitter accounts of cybersecurity providers and enthusiasts.
To begin, every DeFi investor must comply with the two leading security audit providers for the crypto protocol, PeckShield and Certify. They automatically detect malicious activity and notify potential investors about suspicious changes to the protocol’s codebase.
ground level
Rag bridge is a malicious transfer of investor liquidity from a DeFi protocol. Rag bridges in crypto are organized by malicious teams of DeFi products to steal backers’ funds.
In 2021-2022 some Rag Pul stole eight digit sums. To avoid falling prey to rag pulls, investors should not invest in products that invest in excessive profits or teams with no proven growth activity.