Original author: Bankless

Translation: Zen, PANews

If you have been deeply involved in the DeFi field for many years, you must have experienced more scams and hacks than you can imagine. This is the risk we take when interacting at the forefront of financial technology.

Among all the pitfalls in DeFi, the most painful ones are often Rug Pulls. These internal vulnerabilities, also known as exit scams, occur when insiders use the trust of users to steal their assets. They usually occur through malicious code injected into smart contracts, allowing developers to drain these contracts or user wallets.

This article will list the top 10 Rug Pulls projects in recent years based on the on-chain Rug Pulls leaderboard from DefiLlama.

Jay Pegs Auto Mart

Loss: $3.1 million

Date: September 17, 2021

Blockchain: Ethereum

Method: Malicious deposit address replacement

The front end of Sushiswap's IDO platform Miso was attacked. An anonymous contractor injected malicious code into the Miso front end, replacing the auction wallet with their own wallet address, resulting in the theft of 864.8 ETH (approximately $3.07 million). The auction affected by this attack was the DONA token auction of the Jay Pegs Auto Mart project. Subsequently, the SushiSwap team immediately fixed the vulnerability, and after tracking the attacker and requesting FBI intervention, all funds were quickly returned.

Dragoma

Loss: $3.5 million

Date: August 8, 2022

Blockchain: Polygon

Method: Fund siphoning

Similar to the once-popular STEPN, Dragoma, based on the Polygon network, is also a chain game that focuses on the move-to-earn concept. Players can claim dinosaur eggs for free and hatch them into NFTs after 40 days to earn rewards such as DMA tokens. On August 8, 2022, Dragoma allegedly experienced a Rug Pull, causing DMA to plummet from $1.8 to $0.002, a 99.82% drop. Subsequently, its official Twitter account displayed "This account does not exist." It is worth noting that the DMA token was listed on the crypto exchange MEXC for less than 24 hours before this crash occurred.

Magnate Finance

Loss: $6.4 million

Date: August 25, 2023

Blockchain: Base

Method: Contract vulnerability

On August 25, 2023, on-chain detective ZachXBT issued a warning, stating that the Base ecosystem lending protocol Magnate Finance may soon experience an exit scam, and indicated that the deployer address of Magnate Finance is directly related to the Solfire exit scam. Shortly after, the website and social platforms of the Base ecosystem lending protocol Magnate Finance became inaccessible. Their Telegram group was also deleted. ZachXBT also stated that the deployer's on-chain address is also related to the Kokomo Finance exit scam.

According to the event investigation released by Paidun, Magnate Finance conducted a Rug Pull by directly manipulating the price oracle, resulting in a loss of approximately $6.5 million. According to Beosin Alert monitoring, the deployer address of Magnate Finance is related to the previous Rug Pulls of Solfire and Kokomo Finance. The scammer stole a total of $16.7 million.

New blockchain networks are like the Wild West of the United States. Being cautious and sticking to audited and time-tested protocols can help reduce risks.

Arbix Finance

Loss: $10 million

Date: January 4, 2022

Blockchain: BNB

Method: Contract vulnerability

Arbix Finance, a liquidity mining protocol based on the Binance Smart Chain, was once promoted as a "low-risk way to get the best returns," and Arbix used user deposits for arbitrage to earn profits. In the early hours of January 4, 2022, approximately $10 million of user funds were siphoned off, and the project's social media and website were also shut down. Shortly after, the team injected $4.5 million worth of ARBX tokens into PancakeSwap, causing its price to drop from $1.42 to zero.

According to CertiK's event analysis, the Arbix Finance project showed too many danger signals. The ARBX contract only had a mint() function for the owner, and 10 million ARBX tokens were minted to 8 addresses. CertiK also confirmed that 4.5 million ARBX tokens were minted to one address and then transferred. Another danger signal was the $10 million of user funds, which were directed to an unverified pool after being deposited, and the hacker eventually gained full access and stole $10 million in assets.

Compounder Finance

Loss: $12 million

Date: December 2, 2020

Blockchain: Ethereum

Method: Contract vulnerability

Just a few months after the boom of DeFi summer, investor sentiment was high, and yields were also high. Compounder Finance, developed by a group of anonymous developers, attracted some attention from users. It was no different from countless other protocols hoping to enter the liquidity mining craze. What was surprising was that the culprit who stole over $12 million of user funds was not a hacker, but the project team itself. After passing the audit, the project team added 7 malicious strategy contracts to its codebase, making it a very serious DeFi exit scam event.

The difference is that after passing the audit, they added a malicious backdoor program to the contacts. This backdoor allowed developers to steal all user funds deposited into the protocol—worth approximately $12 million. Since then, audit practices have had to be adjusted to not only focus on external threats but also on internal threats. After this event, Rekt news and @vasa_develop shared the detailed process of the event.

Snowdog

Loss: $18.1 million

Date: November 25, 2021

Blockchain: Avalanche

Method: Contract vulnerability

Avalanche Rush brought $180 million in incentives to the ecosystem, bringing hordes of crypto enthusiasts to a new chain, and at the time, it was the peak of the Dogecoin craze. The Avalanche-based Meme project Snowdog attracted a lot of attention, claiming to create a reserve currency supported by protocol-owned liquidity.

This event was a typical "Rug Pull." Insiders of the project allegedly used the hidden "challengeKey" to sell a large amount of SDOG tokens through Snowswap in two separate transactions around 6 a.m. today, making a profit of $17 million and causing the price of SDOG to plummet by 90% within half an hour. TechnoArtoria pointed out that the contract code of Snowswap had not been fully reviewed, and only insiders knew about the "challengeKey" and used it to sell a large number of tokens.

StableMagnet

Loss: $27 million

Date: June 23, 2021

Blockchain: BNB Chain

Method: Contract vulnerability and user wallets

The DeFi project StableMagnet promised high returns on stablecoins and attracted tens of millions of TVL investments before launching the "novel carpet method."

The issue this time was not in the project's own smart contract, but in the underlying function library called SwapUtils Library. The project team implanted a backdoor in the underlying function library, so regardless of whether the smart contract code of the project itself is secure or has a time lock, the project team can directly use the backdoor of the underlying function to transfer assets.

After the incident, one of the victims of this event, DeFi influencer Ogle, and a community investigation team conducted a carpet search and eventually obtained intelligence. The British police successfully arrested members of the project team, and the arrested members returned approximately $22.5 million in assets.

Paid Network

Loss: $27 million

Date: March 5, 2021

Blockchain: Ethereum

Method: Unlimited minting and selling

The decentralized application Paid Network aims to provide a new way of conducting business through its proprietary SMART protocol, community-managed arbitration system, reputation scoring, and DeFi tools.

On March 6, 2021, Beijing time, the official Twitter account of PAID Network announced that the contract had been hacked. Due to the upgradable storage proxy contract model used by the PAID Network project, the attacker used the owner permission of the PAID Network proxy contract to deploy a malicious logic contract and stole over 59 million PAID tokens.

It is understood that the vulnerability allowing the contract owner to freely mint additional tokens was discovered and pointed out by users early on. Twitter user @WARONRUGS (account deleted) had previously mentioned this vulnerability.

Meerkat Finance

Loss: $32 million

Date: March 4, 2021

Blockchain: BNB Chain

Method: Contract vulnerability

The DeFi project Meerkat Finance on the Binance Smart Chain generated profits of 13 million BUSD and 73,000 BNB, valued at approximately $31 million, after operating for one day. Subsequently, these funds were immediately taken by the project team.

Meerkat Finance initially claimed this was a hack, but the project team later deleted their accounts.

The deployer of Meerkat Finance upgraded the project's 2 vaults. The attacker's address called the initialize function without permission through the Vault proxy, effectively allowing anyone to become the Vault owner. The attacker then depleted the vaults by calling a function with the signature 0x70fcb0a7, which accepted a token address as input. The decompiled upgrade to the smart contract showed that the only purpose of the called function was to remove funds with the owner as the beneficiary. Since the upgrade was completed by the Meerkat Finance deployer, considering all aspects of on-chain data, this event is most likely a deliberate exit scam, and the possibility of private key leakage is very small.

AnubisDAO

Loss: $60 million

Date: October 29, 2021

Blockchain: Ethereum

Method: Contract vulnerability

AnubisDAO, a project launched on the OHM fork platform by Copper Launch, withdrew liquidity pools one day after going live, suspected of running away with over 13,556 ETH transferred to the address @0x9fc, worth approximately $58.3 million. Shortly after, the project's Twitter account ceased activity.

In March of this year, the address of the AnubisDAO attacker (marked as AnubisDAO exploiter3) transferred 2,500 WETH to an address starting with "0x0D19" and laundered 2,400 ETH (approximately $3.76 million) through Tornado Cash; in May, an EOA address related to the scam event (0xa570d…) transferred approximately 3,000 ETH (approximately $5.9 million) to Tornado Cash.

Conclusion

Behind these frustrating stolen fund data, we can also see a positive side—most of the fund loss events investigated occurred before 2022. In fact, in this top ten list, the funds lost in 2021 accounted for 84% of the total.

What does this teach us? Overall, audit firms have realized from painful lessons that they must adapt quickly to maintain a good reputation. In addition, members of the crypto community who have been attacked in the past can delve into the code more quickly and identify suspicious teams with a higher hit rate.

After repeated Rug Pulls, the anti-fragility of DeFi has made it stronger, meaning that it can thrive and grow stronger when exposed to volatility, randomness, chaos, pressure, risk, and uncertainty, and eventually move in the right direction over time. Will there come a day when unknown teams no longer make ill-gotten gains? That is certainly not very realistic. As long as it is profitable, bad actors will continue to challenge boundaries, but the direction we are developing in is definitely the right one.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。