If you've stuck around DeFi this long, you've undoubtedly weathered more scams, hacks, and shady actors than you once thought possible. I've had my fair share of close calls and tough losses, but that's the risk we take when interacting at the cutting edge of financial technology.
Of all the pitfalls of DeFi, the ones that often sting the most are rug pulls. These insider exploits – also known as exit scams – occur when project insiders leverage user trust only to steal assets from them. They usually happen via malicious code snuck into smart contracts, allowing developers to drain those contracts or user wallets.
In today's article, we delve into the largest rug pulls of all time. What went wrong? And what can we learn from them?
Since it can sometimes be contentious to determine if an exploit was the fault of carelessness or outright maliciousness, we will use DefiLlama's list of onchain rug pulls to stay unbiased. So, while this probably doesn't include every occurrence of insiders stealing funds, it is a great start.
10. JayPegs Automart
Amount Lost: $3.1M
Chain: Ethereum Method: Redirected Deposits
It was a sad day when the World's #1 2007 Kia Sedona Superstore™ fell victim to an insider attack ahead of their initial offering on SushiSwap. A sneaky dev replaced the auctionWallet address with his own, leading to all user funds funneling into their pocket.
What followed was a surprisingly aggressive retaliation from the SushiSwap team, who quickly identified the suspected perpetrator. The tactic succeeded, and after going as far as doxxing the dev and threatening FBI involvement, funds (totaling 865 ether) were quickly returned.
At least we get to start with a happy ending – it gets much more bleak from here… 😬
Following in the footsteps of Solana's STEPN, Dragoma on the Polygon network marketed itself as a move-to-earn game where users could earn the $DMA token by performing in-game tasks and could hatch dragon NFTs by walking. Player hype to live out their inner Berk was squashed when liquidity was pulled, and the $DMA price dropped to basically zero.
This rug pull occurred less than 24 hours after $DMA was listed on MEXC, a centralized exchange. Remember – not even the CEX traders are immune to onchain rugs!
8. Magnate Finance
Amount Lost: $6.4M Date: August 25, 2023 Chain: Base Method: Drained Contracts
The most recent on our list – early Coinbase Base chain explorers experienced a gut punch with Magnate Finance. The team running this fledgling lending platform manipulated a price oracle, allowing them to steal locked assets.
Onchain sleuth ZachXBT forewarned the community the day before the exit scam, noting that the deployer address of Magnate Finance was linked to a similar scam.
Community Alert: Magnate Finance on Base will likely exit scam in the near future currently with over $6.4M TVL.
In what was advertised as a way to “gain optimal yield with low risk,” Arbix used arbitrage to earn a yield on user deposits. As you probably guessed, this did not end well.
In the early morning hours of January 4, 2022, vaults were drained of roughly $10M in user funds, and the project socials and website were taken down. Soon after, the team dumped 4.5M $ARBX tokens into PancakeSwap, crashing the price from $1.42 to zero.
#CommunityAlert 🚨#Arbix Finance has been identified as #rugpull. Privileged functionalities appear in the identified smart contracts.
Just a few months after the boom of DeFi Summer, spirits were high, and yields were higher. 1000% APR yield farms were popping up daily, and you could almost be forgiven for skipping due diligence to jump the line into a new farm… almost.
Compounder Finance, a fork of Yearn, was built by a group of anon devs and looked no different from countless other protocols hoping to feed into the liquidity mining craze. What was different was the malicious backdoor written into its contacts after they had been audited. This backdoor allowed developers to steal all user funds deposited into the protocol – roughly $12M worth.
Auditing practices have since had to adapt, with a renewed focus on not only external but internal threats as well. Rekt.news and @vasa_develop share an incredibly detailed event account – I recommend the read.
THANKS TO METAMASK PORTFOLIO
The bridge feature in MetaMask Portfolio pulls together bridging quotes from the top protocols in the ecosystem, giving you a boost of speed and efficiency on your journey between networks. Pick the quote that's best for you and move your funds without leaving the dApp.
Avalanche Rush brought $180M in incentives to the ecosystem, ushering hordes of crypto enthusiasts to a new chain. Snowdog's ambitious (read “presumptuous”) vision was to create a reserve currency backed by protocol-owned liquidity… and it was also a dog coin (DOGE was blowing up at the time).
After the initial “accumulation phase,” where users could mint the $SDOG coin in an OHM-fork fashion by depositing the $MIM stablecoin, a buyback was scheduled to follow. The buyback was meant to be an opportunity for early buyers to cash out their $SDOG back into $MIM before the $SDOG supply was capped. This is where everything went to GoblinTown.
Immediately after the SDOG-MIM pool was established on TraderJoe, two frontrunners were able to dump massive bags of $SDOG at inflated valuations. The likelihood of these frontrunners being insiders began to rise after investigators uncovered several “conveniences” that hinted at inside knowledge. Still, the case remains in limbo, with some arguing that “game theory,” and not maleficence, could have led to this conclusion.
4. StableMagnet
Amount Lost: $27M Date: June 23, 2021 Chain: BNB Chain Method: Drained Contracts & User Wallets
Promising high returns on stablecoins, StableMagnet attracted tens of millions in TVL before initiating a “novel rug method.”
🚨‼️ StableMagnet just rugged massively using a NOVEL RUG METHOD‼️🚨
The team deployed a completely different library than the one in the source code because Etherscan/BSCscan explorers did not check the library source. Because of this, casual users received no warnings that the smart contracts were unverified.
This malicious code did not only drain funds within the protocol but also allowed the team to steal funds from user wallets.
The story does have a silver lining, as a whitehat hacker was able to track down the team through a combination of GitHub sleuthing and social engineering. This ultimately led to the arrests of some team members and the subsequent return of most stolen assets.
3. Paid Network
Amount Lost: $27M Date: March 5, 2021 Chain: Ethereum Method: Infinite Mint & Dump
The most infuriating rugs are often the ones that take advantage of newcomers to the digital asset ecosystem. When a project is run by a self-proclaimed “master disruptor crypto OG“ YouTuber and proceeds to rug, we as an industry need to do better job calling out these figures.
The vulnerability was reported early on, with the contract owner having free reign to mint additional tokens. @WARONRUGS (account since deleted) noted this obvious vulnerability.
On March 5, the deployer wallet for $PAID transferred ownership to another (attacker) wallet, which subsequently minted $37M worth of the token. The attacker wallet then dumped these freshly minted tokens into the Uniswap pool, instantly crashing the price. While the team argues that poor key management led to the loss, others counter that “mint” exploits generally boil down to inside jobs.
A day before the Paid Network fiasco, the nascent BNB Chain (“Binance Smart Chain” at the time) experienced its first major exploit with Meerkat Finance. Similar to other rug pulls mentioned, a dev was able to upgrade vault contracts to drain user funds – making off with almost $32M in $BNB and $BUSD.
Being early in the days of BSC, there were talks about the possibility of Binance manually rolling back the chain – reverting to an earlier timestamp and returning the stolen funds to users. In Meerkat Finance's Telegram, affected users were torn on how Binance should respond.
What do you get when you combine a dog coin with an OHM fork? Well, it's a complete mess, as it turns out. Coming in at number one on DefiLlama's list with a whopping $60M in stolen funds is AnubisDAO.
Following a massive initial bonding, it appears that a single dev was able to drain the approximately $60M in ether from the project's liquidity pool. Shortly after, the project's Twitter account went silent, leaving investors in limbo. Eight months later, hopes of recovering funds were all but quashed with the exploiter routing the stolen assets through Tornado Cash.
Let's start with some good news after that depressing data – of all rug pulls examined, the vast majority of funds were lost before 2022. In fact, about 84% of the funds in the Top 10 list were lost in just 2021, coming down from the highs of DeFi Summer.
What does this teach us? In general, auditing firms have learned (the hard way) that they must quickly adapt to maintain a good reputation. Also, community members who have been burnt in the past are quicker to dive into the code and identify shady teams at a much higher hit rate.
DeFi's anti-fragility in the face of lackluster safeguards and bad actors has hardened it, pushing it to course correct over time.
Will we ever see the day when anon teams cease to make off with ill-gotten gains? Unlikely. Where there is money to be made, bad actors will always test the boundaries. But are we heading in the right direction? Absolutely.
Not financial or tax advice. Bankless content is strictly educational and is not investment advice or a solicitation to buy or sell any assets or to make any financial decisions. This newsletter is not tax advice. Talk to your accountant. Do your own research. Disclosure. From time-to-time we may add links in this newsletter to products we use. We may receive commission if you make a purchase through one of these links. Additionally, the Bankless team hold crypto assets. See our investment disclosures here. | Terms & Conditions – Privacy Policy
