The Rise of Exit Scams & Rug Pulls

Guide to understand Rug Pulls and ways to avoid them

Table of Contents

Read Time: 5 minutes

Ever since their introduction, cryptocurrencies have attracted the eyes of investors and hucksters alike. Though the crypto space is characterized by some institutional investors and thin liquidity, it is also rife with scammers. The nature of scams on crypto networks has also paralleled their infrastructure development. Since blockchains were new and primitive, the illicit activities on top of them mostly consisted of dark web purchases, fraudulent exchanges, etc. 

However, in recent years, as cryptos began to go mainstream with decentralized finance (DeFi) and attracted the attention of blue-chip firms, new and sophisticated scams have started to pop up. Rug pull is one scam that has successfully infiltrated the DeFi ecosystem lately. In this blog, we will thoroughly understand this scam category and learn how to avoid rug pull for the better.

What is A Rug Pull Scam?

Rug pull is derived from the phrase “to pull the rug out from under someone”, which roughly translates to pulling the rug out from one edge so the person standing falls flat on the floor. 

In the crypto space, rug pull is described as a situation wherein the developers of a crypto project pull out support, thereby leaving the investors and users with worthless tokens. It often happens when an entity convinces people to buy into their cryptocurrency and drains out its liquidity, making it impossible for token holders to trade the cryptocurrency in the process. For example, an “X” token is traded against “ETH”. When the malicious actors remove all the ETH liquidity from the X/ETH pair, traders won’t be able to trade their X tokens. 

How does Rug Pull Work?

Like most crypto ecosystems, the DeFi space is highly unregulated. Therefore, protocols and projects within the DeFi space are also away from the scrutiny of lawmakers. Rug pulls occur because decentralized exchanges (DEXs) – unlike centralized exchanges (CEXs) – do not audit or verify tokens being listed on them. Anyone can list a cryptocurrency on DEXs, irrespective of whether it’s legit or not. Though there are various ways a scammer can pull out rug using DEXs, there are categorized into mainly three: 

  • Pulling Out Liquidity: When someone wants to pull out a rug on investors, it will create a token and list it on a DEX, like Uniswap. In order to make their worthless token tradable, they put a portion of the valuable tokens (like ETH) and a portion of their newly minted token into a liquidity pool. It allows new investors to exchange their ETH with the new token. As time goes, and the investors invest, the value of worthless tokens goes up. Then, the developers can do a rug pull by pulling out their initial liquidity. By doing this, they get their initial amount of worthless tokens along with the valuable tokens. Due to how automated market makers (AMMs) on DEXs work, these malicious actors gain access to a lot more valuable tokens and a lot less worthless tokens. After they pull out the liquidity, the investors will not be able to trade their worthless token because the pool is left empty. 
  • Selling Off The Shares: The second way a developer can pull the rug is by selling their token shares. Like in our above example, a developer creates a worthless token. The developer convinces investors and other people that their token is valuable. For example, they can promise that a new platform is launching soon with a real-world use case. But, they always promise something in the future. Thus, they sell this idea to a majority of people. When the price of their token increases, they sell all their token in the token launch. In short, what they did is they got people to trade a valuable token for a worthless token, and then run away with the accumulated valuable tokens. This method is often slow so that buyers don’t realize they are being rug pulled. 
  • Removing A Seller’s Ability to Sell: Another way to pull the rug is by disabling buyers’ ability to sell. Malicious actors can add code to their token’s smart contract, which doesn’t allow users to sell back their tokens on DEXs. So, users can buy their worthless tokens but can’t sell them even if they want to. This pushes up the price of the underlying token because no one can sell it. When the price is really high, the scammers sell out all the tokens they gave themselves in the initial stage or bought very early on at a very low price. 

How to Avoid Rug Pulls?

Since you know how to identify a rug pull, it is time to learn how to avoid one. The first trait to watch out for in a project is whether it has locked liquidity or not. As discussed, a developer can pull the liquidity out of a DEX as long as it’s unlocked. Sometimes, to prove that the team is legit, a project locks its liquidity with a trusted third party to ensure they don’t have a way to drain out funds even if they want to. While it is a great way to find if the developers won’t pull out the rug, the token price can still be manipulated. Therefore, it is better to pay close attention to the duration of that locked liquidity. A legit project will do it for a shorter period (like 2-6 months), whereas, a scammer would keep it for 10 or more years. 

Secondly, check wallets on blockchain explorers like Etherscan and BSCscan to find out which wallet holds the maximum tokens. If the top five wallets hold a large number of tokens, these accounts are likely of the project team members who bought these tokens at a very low price. 

Another way to know if a project is trustworthy is by checking whether its burn wallet has a higher percentage that hides a true, big wallet. Essentially, the developer creates a ton of tokens and then burns most of them, thereby getting a large portion of the supply in their hands. 

Furthermore, find out whether the developers are using a multi-sig wallet. This ensures that no one in the team can access the funds singlehandedly. So, when someone gets greedy, they can’t run away with funds because accessing them would require the signatures of all the developers involved with the project.

Lastly, a project should have undergone audits from multiple reputable companies. A successful audit ensures that the smart contracts are verified by a trusted source and that the team is serious about their protocol. This not only helps investors avoid rug pulls but also removes the possibility of code errors. 

Ending Note

Rug pulls are quite common in DeFi because it is not regulated like the stock market. High APYs and APRs and 100x returns are alluring for new investors. However, these promises are usually made by fake projects wanting to pull the rug and run away with funds. When hundreds of dollars are at stake, it is important to consider the above pointers to thoroughly evaluate a project for investment. In addition to the recommended ways, check whether a project has a functioning website and engaging social media pages. We always recommend you to get your DeFi project audited multiple times to avoid any risks of potential future attacks.


Related Articles

View All

Leave a Comment

Your email address will not be published. Required fields are marked *


$NUWA failed to rug on BSC and was front-run by the MEV bot 0x286E09932B8D096cbA3423d12965042736b8F850.

The bot made ~$110,000 in profit.

Are you concerned about your enterprise's security in Web 3.0? Look no further!

Let's delve deeper into and learn effective solutions to mitigate them. Our experts have covered unconventional approaches, from Zero- Trust Security Model to Bug Bounty Programmes.


Hey folks👋,

Web3 security is like a game of whack-a-mole, except the moles are hackers who keep popping up no matter how hard you hit them. 🤦‍♀️

But fear not; we've got some tips to keep your crypto safe⬇️⬇️

Unlock the power of Web3 for your enterprise with enhanced security measures!

💪🌐 Our latest blog post delves into the world of Web3-powered enterprises and how to ensure maximum security in this new frontier.🔒

Read part 1 of our series now: 🚀


Load More

Amidst FTX Saga, Hacker Swept More Than $25 Million in 2nd week of November

The contract reinvested (the earn function was not called) before the user pledged (depositAll function) without settling the reward, which means that when the user pledged, the contract did not settle the previous reward and instead conducted a new investment.

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:


Refer QuillAudits to Web3 projects for audits.


Earn rewards as we conclude the audits.


Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $190K+