The rapid growth of open finance in 2021 opened the door to a new type of scam – the rug pull. Chainalysis noted this scam made about 37% of all losses for the past twelve months.
Decentralized Trading Opens Rug Pull Opportunities
Rug pulls happen when a token-based decentralized project collects significant funds from investors in exchange for a new token. The new token is then usually listed on decentralized exchanges such as SushiSwap or PancakeSwap. The project team, instead of providing liquidity and waiting for its token to appreciate, usually dumps its holdings and takes any liquidity deposited into the trading pair.
The team may also simply disappear after grabbing any funds made available through token sales. Among notable rug pull scams was the Evolved Apes collection, which raised millions with the promise of launching a game based on the collectible cards.
Chainalysis notes that the usual level of scams in terms of blatant Ponzi schemes remains similar to previous years. But the appearance of short-term rug pulls is creating a long list of smaller losses, usually affecting new crypto investors interested in play to earn.
Higher cryptocurrency prices meant the losses amounted to $7.7B in cryptocurrencies taken from investors. Exchange thefts continue, usually through compromised wallets. The other big source of scams is faulty smart contracts that can be exploited.
PeckShield, one of the major scam tracking services, also warns of new play to earn projects abusing its reputation.
With the addition of thousands of new token sales and collections, there is no guarantee their smart contracts and other infrastructure has been audited for flaws or maliciously placed exploit tools.
Play to earn also relies on reward smart contracts, which can become a point of failure for losses or exploits. Black Eye Galaxy, a new metaverse project, is currently overhauling its reward system.
Other vectors of attack include attempts to scam a Discord community, as in the case of the Phantom Galaxies project. The gaming community was called through a faked team account and sent funds to a fake minting event.