The Rise of Exit Scams & Rug Pulls

Guide to understand Rug Pulls and ways to avoid them

Table of Contents

Read Time: 6 minutes

Ever since their introduction, cryptocurrencies have attracted the eyes of investors and hucksters alike. Though the crypto space is characterized by some institutional investors and thin liquidity, it is also rife with scammers. The nature of scams occurring on crypto networks has also paralleled the development of their infrastructure. Since blockchains were new and primitive, the illicit activities taking place on top of them mostly consisted of dark web purchases, fraudulent exchanges, etc. 

However, in recent years, as cryptos began to go mainstream with decentralized finance (DeFi) and attracted the attention of blue-chip firms, new and sophisticated scams have started to pop up. Rug pull is one such scam that has been successful in infiltrating the DeFi ecosystem lately. In this blog, we will thoroughly understand this category of scam and learn how to avoid rug pull for the better.

What is A Rug Pull Scam?

Rug pull is derived from the phrase “to pull the rug out from under someone”, which roughly translates to pulling the rug out from one edge so the person standing falls flat on the floor. 

In the crypto space, rug pull is described as a situation wherein the developers of a crypto project pull out support, thereby leaving the investors and users with worthless tokens. It often happens when an entity convinces people to buy into their cryptocurrency and then drains out its liquidity, which makes it impossible for token holders to trade the cryptocurrency in the process. For example, an “X” token is traded against “ETH”. When the malicious actors remove all the ETH liquidity from the X/ETH pair, traders won’t be able to trade their X tokens. 

How does Rug Pull Work?

Like most crypto ecosystems, the DeFi space is highly unregulated. Therefore, protocols and projects within the DeFi space are also away from the scrutiny of lawmakers. Rug pulls occur because decentralized exchanges (DEXs) – unlike centralized exchanges (CEXs) – do not audit or verify tokens being listed on them. Anyone can list a cryptocurrency on DEXs, irrespective of whether it’s legit or not. Though there are various ways a scammer can pull out rug using DEXs, there are categorized into mainly three: 

  • Pulling Out Liquidity: When someone wants to pull out a rug on investors, it will create a token and list it on a DEX, like Uniswap. In order to make their worthless token tradable, they put a portion of the valuable tokens (like ETH) and a portion of their newly minted token into a liquidity pool. It allows new investors to exchange their ETH with the new token. As time goes, and the investors invest, the value of worthless tokens goes up. Then, the developers can do a rug pull by pulling out their initial liquidity. By doing this, they get their initial amount of worthless tokens along with the valuable tokens. Due to how automated market makers (AMMs) on DEXs work, these malicious actors gain access to a lot more valuable tokens and a lot less worthless tokens. After they pull out the liquidity, the investors will not be able to trade their worthless token because the pool is left empty. 
  • Selling Off The Shares: The second way a developer can pull the rug is by selling their token shares. Like in our above example, a developer creates a worthless token. The developer convinces investors and other people that their token is valuable. For example, they can promise that a new platform is launching soon with a real-world use case. But, they always promise something in the future. Thus, they sell this idea to a majority of people. When the price of their token increases, they sell all their token in the token launch. In short, what they did is they got people to trade a valuable token for a worthless token, and then run away with the accumulated valuable tokens. This method is often slow so that buyers don’t realize they are being rug pulled. 
  • Removing A Seller’s Ability to Sell: Another way to pull the rug is by disabling buyers’ ability to sell. Malicious actors can add code to their token’s smart contract, which doesn’t allow users to sell back their tokens on DEXs. So, users can buy their worthless tokens but can’t sell them even if they want to. This pushes up the price of the underlying token because no one can sell it. When the price is really high, the scammers sell out all the tokens they gave themselves in the initial stage or bought very early on at a very low price. 

How to Avoid Rug Pulls?

Since now you know how to identify a rug pull, it is time to learn about how to avoid one. The first trait to watch out for in a project is whether it has locked liquidity or not. As discussed, a developer can pull the liquidity out of a DEX as long as it’s unlocked. Sometimes, to prove that the team is legit, a project locks their liquidity with a trusted third party to ensure they don’t have a way to drain out funds even if they want to. While it is a great way to find if the developers won’t pull out the rug, the token price can still be manipulated. Therefore, it is better to pay close attention to the duration of that locked liquidity. A legit project will do it for a shorter period (like 2-6 months), whereas, a scammer would keep it for 10 or more years. 

Secondly, check wallets on blockchain explorers like Etherscan and BSCscan to find out which wallet holds maximum tokens. If the top five wallets hold a large number of tokens, these accounts are likely of the project team members who bought these tokens at a very cheap price. 

Another way to know if a project is trustworthy is by checking whether its burn wallet has a higher percentage that hides a true, big wallet. Essentially, what happens is the developer creates a ton of tokens and then burns a majority of them, thereby getting a large portion of the supply in their hands. 

Furthermore, find out whether the developers are using a multi-sig wallet or not. This ensures that no one in the team can access the funds singlehandedly. So, when someone gets greedy, they can’t run away with funds because accessing them would require the signatures of all the developers involved with the project.

Last but not the least, a project should have undergone audits from multiple reputable companies. A successful audit ensures that the smart contracts are verified by a trusted source and that the team is serious about their protocol. This not only helps investors avoid rug pulls but also removes the possibility of errors in codes. 

Ending Note

Rug pulls are quite common in DeFi because it is not regulated like the stock market. High APYs and APRs and 100x returns are alluring for new investors. However, these promises are usually made by fake projects wanting to pull the rug and run away with funds. When hundreds of dollars are at a stake, it is important to keep the above pointers in mind to thoroughly evaluate a project for investment. In addition to the recommended ways, also check whether a project has a functioning website and engaging social media pages. We always recommend you to get your DeFi project audited multiple times to avoid any risks of potential future attacks.

Reach out to QuillHash

With an industry presence of years, QuillHash has delivered enterprise solutions across the globe. QuillHash with a team of experts is a leading blockchain development company providing various industry solutions including DeFi enterprise, If you need any assistance in the smart contracts audit, feel free to reach out to our experts here!

Follow QuillHash for more updates

Twitter | LinkedIn Facebook


Related Articles

View All

Leave a Comment

Your email address will not be published.



In one of the protocol's lending pools, an exploiter escaped with over 44 RBTC by employing a price manipulation method.



We request BSC Validators to get in touch with us within the next few hours so that we can plan a node upgrade.

We'd like to thank the community again for their continuous support.


A spammer has caused havoc for Zcash node operators by filling transaction Blocks with a large number of shielded transaction outputs. Many believe this is a FUD designed to draw attention.





[MUST KNOW] Security Tips for Web3—

Don’t ever think it can’t happen to you🚫!

Don’t Rush⚡

In crypto, we all like to move fast, grab the most hyped thing to shell out millions in a minute.

But at the same time, we forget that we are the most vulnerable ones as well.

Hashing Bits | Week - 39 📮

A recap of last week’s Web3 security exploits unwrapped –

‣MEV bot earns $1M to find them all lost to a hack due to the contract vulnerabilities
‣Jason Falovitch, a cryptocurrency entrepreneur, lost six ETH and four NFTs of $150K to a hack.


Load More

90 Types of Crypto Worth $160M Stolen 🚨

It was observed from the Omni bridge source code that the logic to verify chainID was present, but the verified chainID used in the contract was pulled from a value stored in the storage named uintStorage.

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:


Refer QuillAudits to Web3 projects for audits.


Earn rewards as we conclude the audits.


Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $190K+