How to Make a Rug Pull — Buzzword Edition

But the project was doxxed?! He was based! Liquidity is locked for eternity…scammers are notorious for taking existing crypto jargon and baptizing them into their malicious schemes. While not all rugs are made the same, there are some commonly used tactics that ruggers employ to garner a sense of security and safety from their victims.

While our team has mentioned the evolution of rug pulls in the past, it’s time for a deep dive into the common jargon that rug pullers employ. These words are enjoyed by a lot of token projects; our aim is to show that they are no bastion of safety and defense against rug pulls.

Please note: these features are not evidence of a rug pull; this article simply aims to uncover how would-be scammers use certain buzzwords to make their project seem more legitimate and the reasons why these features could fail to meet the burden of safety.

Next time you see these words, don’t be fooled. They tell you nothing about the legitimacy of a project, its origins or its intentions. Do proper due diligence and examine the risks.

KYC/Doxxed Team

This one is very popular. How can someone who is “publicly known” get away with scamming thousands of people? Unfortunately, a KYCed and Doxxed team does not give a user any legal recourse necessarily, and this label can often be misapplied.

Think about how a KYC/Doxxing works: A project owner will reveal their identity by submitting their ID documents to a firm that handles the KYC/Doxxing. In exchange for doing this and paying a small fee, the project owner can now claim they are doxxed/KYCed. They can even reveal their identity to the public to some degree. What could go wrong? Here are a few ways the KYC/Doxxed Team label fails to provide actual security:

• Small/Unknown KYC Firm: It doesn’t matter if you have revealed your identity to a firm if, at best, the firm cannot act on the matter due to its size, or at worst, because they were in on the gambit from the beginning.
• Lack of Jurisdiction: If a KYC firm is in Russia (for example) and a potential scammer is based on London, it does not follow that the authorities can (or need) to comply with any actions. Not to mention the cost involved in a legal investigation transnationally.
• Fake Identity Documents: Submitting fake information is not only possible, it’s a high probability for those who are attempting to scam.

Locked Liquidity

Having a locked liquidity wallet does provide some measure of protection as it will disallow project owners from access liquidity in that particular wallet. What could be wrong with this as a label of a safe project?

• Liquidity locking generally applies to LP storage wallets, NOT marketing, team wallets, etc. which often make up for other substantial portions of the token supply.
• This can be tricked from scanners/bots that look for locked liquidity. As an example, the RugZombie (ZMBE) LP is not stored in a locked liquidity wallet, but a multi-signature token storage, requiring a majority consensus to move tokens in and out. However, many bots/scanners would register our wallet as “locked” due to the fact that these tokens are stored in a contract and not in a wallet.

Audited

We fully believe in the strength auditing firms add for every project. It is always recommended to get outside eyes on the codebase in order to look for serious and critical flaws to token projects and smart contracts. In fact, there was a time when auditing and security feature scans of token projects helped many users avoid honey pot scams and other risky code features.

But audited code tells you nothing of the intentions of the would-be rugger.

From a technical standpoint, audits can enhance user safety because they help legitimate projects an unbiased lens on what could be exploited from the smart contracts.

And perfectly legitimate features can be utilized to rug pull a potential user base.

What to Do…

These are three common phrases that are often misunderstood in the crypto community. Because both legitimate and illegitimate projects use them, they simply do not necessarily imply safety.

Our recommendation is to always do your own independent research. Don’t take a project at face value. Dig into their documentation, open source code (or lack thereof), check out the community. As a part of the BNGA community, we have learned of, and recommend the use of tools like bubble maps to look at visual data of wallet connections related to token supply, etc.

Stay vigilant out there Horde.