research-article

Stop Pulling my Rug: Exposing Rug Pull Risks in Crypto Token to Investors

Authors:

Yuanliang Chen,

Yu JiangAuthors Info & Claims

ICSE-SEIP '24: Proceedings of the 46th International Conference on Software Engineering: Software Engineering in Practice

Pages 228 - 239

https://doi.org/10.1145/3639477.3639722

Published: 31 May 2024 Publication History

Abstract

Crypto token is a digital asset used in blockchain-based decentralized applications. Today, tokens have attracted many investors and collected a large amount of money. Unfortunately, the booming token market has simultaneously spawned numerous fraudulent schemes. Rug pull is one of the well-known scams, where fraudulent developers lure investors into seemingly profitable projects and then run off with their money, leaving the investors with worthless assets. To prevent future losses, researchers in both industry and academia have attempted to expose rug pull risks in advance. However, rug pull can manifest in various scenarios during the transfer process, posing significant challenges for effective detection.

In this paper, we first conduct an in-depth study of 201 real-world rug pull incidents for their root causes, and summarize 4 common types of rug pull risks. Then, we establish a component-configurable transfer model to locate and analyze the transfer process in token contracts. Based on the model, we generate effective oracles for the 4 rug pull risks, which can overcome the interference of diverse implementation structures. We propose Tokeer, a token verification tool that implements the transfer model and oracles with datalog technique to expose rug pull risks hidden in token contracts. We apply Tokeer on real-world tokens and compare it with state-of-the-art tools: the commercial tool GoPlus and the academic tool Pied-Piper. Tokeer achieves an average of 98.0% recall and 98.9% precision, and successfully detects 27.2% more real rug pull risks in wild production, significantly outperforming the state-of-the-art tools in terms of detection accuracy and effectiveness.

References

[1]

Rug pull detector. http://rugpulldetector.com/. Accessed at June 19, 2023.

[2]

Beosin Alert. Jst. https://twitter.com/BeosinAlert/status/1579058826774343680, 2022. Accessed at June 19, 2023.

[3]

Kushal Babel, Philip Daian, Mahimna Kelkar, and Ari Juels. Clockwork finance: Automated analysis of economic security in smart contracts. arXiv preprint arXiv:2109.04347, 2021.

[4]

Emad Badawi, Guy-Vincent Jourdan, Gregor Bochmann, and Iosif-Viorel Onut. An automatic detection and analysis of the bitcoin generator scam. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pages 407--416. IEEE, 2020.

[5]

Massimo Bartoletti, Salvatore Carta, Tiziana Cimoli, and Roberto Saia. Dissecting ponzi schemes on ethereum: identification, analysis, and impact. Future Generation Computer Systems, 102:259--277, 2020.

Digital Library

[6]

Beosin. Securing blockchain ecosystem. https://beosin.com, 2023. Accessed at June 19, 2023.

[7]

BeosinAlert. Nova exchange on bsc rugged. https://twitter.com/BeosinAlert/status/1601168659585454081, 2022. Accessed at June 19, 2023.

[8]

Lingyu Bian, Linlin Zhang, Kai Zhao, Hao Wang, and Shengjia Gong. Image-based scam detection method using an attention capsule network. IEEE Access, 9:33654--33665, 2021.

[9]

Blocksec. Building blockchain security infrastructure. https://blocksec.com/, 2023. Accessed at June 20, 2023.

[10]

BlockSecTeam. A rug pull of 2m busd. https://twitter.com/BlockSecTeam/status/1613492776712249344. Accessed at June 20, 2023.

[11]

BSCscan. 107dao. https://bscscan.com/address/0x01a5eab27481f7382a62af57ca37d6972bbab21f#code, 2022. Accessed at June 18, 2023.

[12]

BSCscan. Antnest. https://bscscan.com/address/0x131a1c7196a5ca7c9f3f8ad123a66bf0becc1a8f#code, 2022. Accessed at June 20, 2023.

[13]

BSCscan. Ducktoken. https://bscscan.com/address/0x437d7cb2ba0e73fdffd4e475b18bae0d40a9346f#code, 2022. Accessed at June 20, 2023.

[14]

BSCscan. Dzd. https://bscscan.com/address/0x644504097ea250016df3cd7f350004b44de1d56f#code, 2022. Accessed at June 20, 2023.

[15]

BSCscan. Erc20token. https://bscscan.com/address/0x27800b47F63966fBcE696CDD683DF3A2FFf82261#code, 2022. Accessed at June 18, 2023.

[16]

BSCscan. Ethmoon. https://bscscan.com/address/0xe493f107bdba58fcb45bce7e5ed753272edd6361#code, 2022. Accessed at June 19, 2023.

[17]

BSCscan. Fite. https://bscscan.com/address/0x76347d0192cb045abc42166f931988e2566b43cf#code, 2022. Accessed at June 20, 2023.

[18]

BSCscan. Golddogmoon. https://bscscan.com/address/0xc914bd429f00da7e7b09f63cbc61b479ed4e86bf#code, 2022. Accessed at June 18, 2023.

[19]

BSCscan. Hao. https://bscscan.com/address/0x363d69655d63ad19877b841ebe424f3e010b347f#code, 2022. Accessed at June 20, 2023.

[20]

BSCscan. Hsetoken. https://bscscan.com/address/0x141553ba94b9155be1e1e9882f60a131a990521f#code, 2022. Accessed at June 19, 2023.

[21]

BSCscan. Jesuscrypt. https://bscscan.com/address/0x1b8b8a61d76a2ada501544b7b936a877ef92dd5f#code, 2022. Accessed at June 20, 2023.

[22]

BSCscan. Kicks. https://bscscan.com/address/0xa8f49b2f0e96dc0b4194f0c7fb191b4eddedbc5f#code, 2022. Accessed at June 19, 2023.

[23]

BSCscan. Leap. https://bscscan.com/address/0xa8f49b2f0e96dc0b4194f0c7fb191b4eddedbc5f#code, 2022. Accessed at June 18, 2023.

[24]

BSCscan. Oxo. https://bscscan.com/address/0x29f6b1b7f024752fae51a83c0515fe469508084f#code, 2022. Accessed at June 18, 2023.

[25]

BSCscan. Squishy. https://bscscan.com/address/0xacb0dd43e0c34774581e4c4a579086baeabf009f#code, 2022. Accessed at June 18, 2023.

[26]

BSCscan. Sx. https://bscscan.com/address/0x1676341ce18f2f01c5d32b84f8e48e28494f7f6f#code, 2022. Accessed at June 20, 2023.

[27]

BSCscan. Token. https://bscscan.com/address/0x6dfb288bb8040bb7d63b51f56bdce58bdfe87c10#code, 2022. Accessed at June 19, 2023.

[28]

BSCscan. Xen. https://bscscan.com/address/0x6514c28c54dc24b30f7b0ac204e116e41264112f#code, 2022. Accessed at June 18, 2023.

[29]

Bscscan. Swr. https://bscscan.com/address/0x45764a1e56a58f8f074a133785225a8595c91d2f#code, 2023. Accessed at June 19, 2023.

[30]

Federico Cernera, Massimo La Morgia, Alessandro Mei, and Francesco Sassi. Token spammers, rug pulls, and sniperbots: An analysis of the ecosystem of tokens in ethereum and the binance smart chain (bnb). arXiv preprint arXiv:2206.08202, 2022.

[31]

CertiK. Securing the web3 world. https://www.certik.com, 2023. Accessed at June 19, 2023.

[32]

BNB Smart Chain. Bscscan. https://bscscan.com, 2023. Accessed at June 20, 2023.

[33]

chainalysis. The chainalysis 2023 crypto crime report. https://go.chainalysis.com/2023-crypto-crime-report.html, 2023. Accessed at June 20, 2023.

[34]

Weili Chen, Xiongfeng Guo, Zhiguang Chen, Zibin Zheng, and Yutong Lu. Phishing scam detection on ethereum: Towards financial security for blockchain ecosystem. In IJCAI, pages 4506--4512, 2020.

[35]

Weili Chen, Zibin Zheng, Edith C-H Ngai, Peilin Zheng, and Yuren Zhou. Exploiting blockchain data to detect smart ponzi schemes on ethereum. IEEE Access, 7:37575--37586, 2019.

[36]

cointelegraph. Ordinals finance has conducted a $1m rug pull: Certik. https://cointelegraph.com/news/ordinals-finance-has-conducted-a-1m-rug-pull-certik, 2023.

[37]

Comparitech. Worldwide crypto & nft rug pulls and scams tracker. https://www.comparitech.com/crypto/cryptocurrency-scams/, 2023. Accessed at June 19, 2023.

[38]

ConsenSys. Mythril. https://github.com/ConsenSys/mythril-classic, 2018.

[39]

Ethereum. Ethereum/solidity. https://github.com/ethereum/solidity. Accessed at June 19, 2023.

[40]

Etherscan. Oebstaking. https://etherscan.io/address/0x4d8266ec8ded77edac50a0eefe3d6934b53663cd#code, 2023.

[41]

Shuhui Fan, Shaojing Fu, Yuchuan Luo, Haoran Xu, Xuyun Zhang, and Ming Xu. Smart contract scams detection with topological data analysis on account interaction. In Proceedings of the 31st ACM International Conference on Information & Knowledge Management, pages 468--477, 2022.

Digital Library

[42]

Sirius Finance. Sirius finance. https://twitter.com/realpolkabridge/status/1560442022779310080. Accessed at June 20, 2023.

[43]

GoPlus. Change logs. https://docs.gopluslabs.io/reference/token-security-api-response-detail/change-logs, 2022. Accessed at June 18, 2023.

[44]

Neville Grech, Lexi Brent, Bernhard Scholz, and Yannis Smaragdakis. Gigahorse: thorough, declarative decompilation of smart contracts. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE), pages 1176--1186. IEEE, 2019.

Digital Library

[45]

Neville Grech, Michael Kong, Anton Jurisevic, Lexi Brent, Bernhard Scholz, and Yannis Smaragdakis. Madmax: Surviving out-of-gas conditions in ethereum smart contracts. Proceedings of the ACM on Programming Languages, 2(OOPSLA):1--27, 2018.

Digital Library

[46]

Herbert Jordan, Bernhard Scholz, and Pavle Subotić. Soufflé: On synthesis of program analyzers. In International Conference on Computer Aided Verification, pages 422--430. Springer, 2016.

[47]

Sukrit Kalra, Seep Goel, Mohan Dhawan, and Subodh Sharma. Zeus: analyzing safety of smart contracts. In Ndss, pages 1--12, 2018.

[48]

Solidus Labs. Token sniffer. https://tokensniffer.com. Accessed at June 18, 2023.

[49]

Daniel Liebau and Patrick Schueffel. Crypto-currencies and icos: Are they scams? an empirical study. An Empirical Study (January 23, 2019), 2019.

[50]

Loi Luu, Duc-Hiep Chu, Hrishi Olickel, Prateek Saxena, and Aquinas Hobor. Making smart contracts smarter. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pages 254--269, 2016.

Digital Library

[51]

Fuchen Ma, Meng Ren, Lerong Ouyang, Yuanliang Chen, Juan Zhu, Ting Chen, Yingli Zheng, Xiao Dai, Yu Jiang, and Jiaguang Sun. Pied-piper: Revealing the backdoor threats in ethereum erc token contracts. ACM Transactions on Software Engineering and Methodology, 2022.

[52]

Fuchen Ma, Zhenyang Xu, Meng Ren, Zijing Yin, Yuanliang Chen, Lei Qiao, Bin Gu, Huizhong Li, Yu Jiang, and Jiaguang Sun. Pluto: Exposing vulnerabilities in inter-contract scenarios. IEEE Transactions on Software Engineering, 48(11):4380--4396, 2021.

[53]

Bruno Mazorra, Victor Adan, and Vanesa Daza. Do not rug on me: Leveraging machine learning techniques for automated scam detection. Mathematics, 10(6):949, 2022.

[54]

PeckShield. A blockchain security and data analytics company. https://twitter.com/peckshield, 2023. Accessed at June 20, 2023.

[55]

SWC Registry. Smart contract weakness classification and test cases. https://swcregistry.io, 2020. Accessed at June 20, 2023.

[56]

Rugdoc.io. Tomb fork rug alert. https://twitter.com/RugDocIO/status/1531672289346977793, 2023. Accessed at June 20, 2023.

[57]

GoPlus Security. Goplus security. https://gopluslabs.io. Accessed at June 18, 2023.

[58]

Soliduslabs. The 2022 rug pull report. https://www.soliduslabs.com/reports/rug-pull-report, 2023. Accessed at June 20, 2023.

[59]

Patel Nikunjkumar Sureshbhai, Pronaya Bhattacharya, and Sudeep Tanwar. Karuna: A blockchain-based sentiment analysis framework for fraud cryptocurrency schemes. In 2020 IEEE International Conference on Communications Workshops (ICC Workshops), pages 1--6. IEEE, 2020.

[60]

TMK. Tmk. https://bscscan.com/token/0x47e79481c404f295b292096bb50373eef97d06ff#code. Accessed at June 18, 2023.

[61]

Petar Tsankov, Andrei Dan, Dana Drachsler-Cohen, Arthur Gervais, Florian Buenzli, and Martin Vechev. Securify: Practical security analysis of smart contracts. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pages 67--82, 2018.

Digital Library

[62]

web3isgreat. Bnb42 rug pulls for over $2.7 million. https://twitter.com/web3isgreat/status/1498420099815985153, 2022. Accessed at June 18, 2023.

[63]

Jiajing Wu, Qi Yuan, Dan Lin, Wei You, Weili Chen, Chuan Chen, and Zibin Zheng. Who are the phishers? phishing scam detection on ethereum via network embedding. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 2020.

[64]

Pengcheng Xia, Bingyu Gao, Weihang Su, Zhou Yu, Xiapu Luo, Chao Zhang, Xusheng Xiao, Guoai Xu, et al. Demystifying scam tokens on uniswap decentralized exchange. arXiv preprint arXiv:2109.00229, 2021.

[65]

Pengcheng Xia, Haoyu Wang, Bingyu Gao, Weihang Su, Zhou Yu, Xiapu Luo, Chao Zhang, Xusheng Xiao, and Guoai Xu. Trade or trick? detecting and characterizing scam tokens on uniswap decentralized exchange. Proc. ACM Meas. Anal. Comput. Syst., 5(3), dec 2021.

[66]

Pengcheng Xia, Haoyu Wang, Xiapu Luo, Lei Wu, Yajin Zhou, Guangdong Bai, Guoai Xu, Gang Huang, and Xuanzhe Liu. Don't fish in troubled waters! characterizing coronavirus-themed cryptocurrency scams. In 2020 APWG Symposium on Electronic Crime Research (eCrime), pages 1--14. IEEE, 2020.

[67]

Nick Nikiforakis Xigao Li, Anurag Yepuri. Double and nothing: Understanding and detecting cryptocurrency giveaway scams. In NDSS, 2023.

[68]

Qi Yuan, Baoying Huang, Jie Zhang, Jiajing Wu, Haonan Zhang, and Xi Zhang. Detecting phishing scams on ethereum based on transaction records. In 2020 IEEE International Symposium on Circuits and Systems (ISCAS), pages 1--5. IEEE, 2020.

Cited By

Lin ZChen JWu JZhang WWang YZheng Z(2024)CRPWarner: Warning the Risk of Contract-Related Rug Pull in DeFi Smart ContractsIEEE Transactions on Software Engineering10.1109/TSE.2024.339245150:6(1534-1547)Online publication date: Jun-2024
https://doi.org/10.1109/TSE.2024.3392451

Recommendations

Miracle or Mirage? A Measurement Study of NFT Rug Pulls
POMACS

NFT rug pull is one of the most prominent type of NFT scam, whose definition is that the developers of an NFT project abandon it and run away with investors' funds. Although they have drawn attention from our community, to the best of our knowledge, the ...
Rug-pull malicious token detection on blockchain using supervised learning with feature engineering
ACSW '23: Proceedings of the 2023 Australasian Computer Science Week

The rapid development of blockchain and cryptocurrency in the past decade has created a huge demand for digital trading platforms. Popular decentralised exchanges (DEXs) such as Uniswap and PancakeSwap were created to address this market gap, ...
Understanding Rug Pulls: An In-depth Behavioral Analysis of Fraudulent NFT Creators
The explosive growth of non-fungible tokens (NFTs) on Web3 has created a new frontier for digital art and collectibles and an emerging space for fraudulent activities. This study provides an in-depth analysis of NFT rug pulls, the fraudulent schemes that ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ICSE-SEIP '24: Proceedings of the 46th International Conference on Software Engineering: Software Engineering in Practice

April 2024

480 pages

ISBN:9798400705014

DOI:10.1145/3639477

Co-chairs:
Ana Paiva,
Rui Abreu,
Maurício Aniche
Delft University of Technology, Netherlands
,
Nachiappan Nagappan
Meta, USA
,
Program Co-chairs:
Abhik Roychoudhury,
Margaret Storey

Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

In-Cooperation

Faculty of Engineering of University of Porto

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 31 May 2024

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Key Research and Development Project
NSFC Program

Conference

ICSE-SEIP '24

Sponsor:

SIGSOFT

ICSE-SEIP '24: 46th International Conference on Software Engineering: Software Engineering in Practice

April 14 - 20, 2024

Lisbon, Portugal

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
97
Total Downloads

Downloads (Last 12 months)97
Downloads (Last 6 weeks)19

Reflects downloads up to 22 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lin ZChen JWu JZhang WWang YZheng Z(2024)CRPWarner: Warning the Risk of Contract-Related Rug Pull in DeFi Smart ContractsIEEE Transactions on Software Engineering10.1109/TSE.2024.339245150:6(1534-1547)Online publication date: Jun-2024
https://doi.org/10.1109/TSE.2024.3392451

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents