Dear Bankless Nation,
Scammers love a good rug pull, the insiders promise users the world – then disappear with the funds, often never to be heard from again.
Today, we're unpacking the top 10 rug pulls of all time, pulling out details about the projects and scenarios so that you can learn from them!
-Bankless team
The Ten Worst Crypto Rug Pulls
Contributing Writer: 563
If you've stuck around DeFi this long, you've undoubtedly weathered more scams, hacks, and shady actors than you once thought possible. I've had my fair share of close calls and tough losses, but that's the risk we take when interacting at the cutting edge of financial technology.
Of all the pitfalls of DeFi, the ones that often sting the most are rug pulls. These insider exploits – also known as exit scams – occur when project insiders leverage user trust only to steal assets from them. They usually happen via malicious code snuck into smart contracts, allowing developers to drain those contracts or user wallets.
In today's article, we delve into the largest rug pulls of all time. What went wrong? And what can we learn from them?
Since it can sometimes be contentious to determine if an exploit was the fault of carelessness or outright maliciousness, we will use DefiLlama's list of onchain rug pulls to stay unbiased. So, while this probably doesn't include every occurrence of insiders stealing funds, it is a great start.
10. JayPegs Automart
Amount Lost: $3.1M
Date: September 17, 2021
Chain: Ethereum
Method: Redirected Deposits
It was a sad day when the World's #1 2007 Kia Sedona Superstore™ fell victim to an insider attack ahead of their initial offering on SushiSwap. A sneaky dev replaced the auctionWallet address with his own, leading to all user funds funneling into their pocket.
What followed was a surprisingly aggressive retaliation from the SushiSwap team, who quickly identified the suspected perpetrator. The tactic succeeded, and after going as far as doxxing the dev and threatening FBI involvement, funds (totaling 865 ether) were quickly returned.
At least we get to start with a happy ending – it gets much more bleak from here... 😬
9. Dragoma
Amount Lost: $3.5M
Date: August 8, 2022
Chain: Polygon
Method: Drained Vaults
Following in the footsteps of Solana's STEPN, Dragoma on the Polygon network marketed itself as a move-to-earn game where users could earn the $DMA token by performing in-game tasks and could hatch dragon NFTs by walking. Player hype to live out their inner Berk was squashed when liquidity was pulled, and the $DMA price dropped to basically zero.
This rug pull occurred less than 24 hours after $DMA was listed on MEXC, a centralized exchange. Remember – not even the CEX traders are immune to onchain rugs!
8. Magnate Finance
Amount Lost: $6.4M
Date: August 25, 2023
Chain: Base
Method: Drained Contracts
The most recent on our list – early Coinbase Base chain explorers experienced a gut punch with Magnate Finance. The team running this fledgling lending platform manipulated a price oracle, allowing them to steal locked assets.
Onchain sleuth ZachXBT forewarned the community the day before the exit scam, noting that the deployer address of Magnate Finance was linked to a similar scam.
New chains are the Wild West – proceed cautiously and stick to audited and time-tested protocols to help reduce your risk profile.
7. Arbix Finance
Amount Lost: $10M
Date: January 4, 2022
Chain: BNB Chain
Method: Drained Contracts
In what was advertised as a way to "gain optimal yield with low risk," Arbix used arbitrage to earn a yield on user deposits. As you probably guessed, this did not end well.
In the early morning hours of January 4, 2022, vaults were drained of roughly $10M in user funds, and the project socials and website were taken down. Soon after, the team dumped 4.5M $ARBX tokens into PancakeSwap, crashing the price from $1.42 to zero.
6. Compounder Finance
Amount Lost: $12M
Date: December 2, 2020
Chain: Ethereum
Method: Drained Contracts
Just a few months after the boom of DeFi Summer, spirits were high, and yields were higher. 1000% APR yield farms were popping up daily, and you could almost be forgiven for skipping due diligence to jump the line into a new farm… almost.
Compounder Finance, a fork of Yearn, was built by a group of anon devs and looked no different from countless other protocols hoping to feed into the liquidity mining craze. What was different was the malicious backdoor written into its contacts after they had been audited. This backdoor allowed developers to steal all user funds deposited into the protocol – roughly $12M worth.
Auditing practices have since had to adapt, with a renewed focus on not only external but internal threats as well. Rekt.news and @vasa_develop share an incredibly detailed event account – I recommend the read.
The bridge feature in MetaMask Portfolio pulls together bridging quotes from the top protocols in the ecosystem, giving you a boost of speed and efficiency on your journey between networks. Pick the quote that's best for you and move your funds without leaving the dApp.
5. Snowdog
Amount Lost: $18.1M
Date: November 25, 2021
Chain: Avalanche
Method: Drained Contracts
Avalanche Rush brought $180M in incentives to the ecosystem, ushering hordes of crypto enthusiasts to a new chain. Snowdog's ambitious (read "presumptuous") vision was to create a reserve currency backed by protocol-owned liquidity… and it was also a dog coin (DOGE was blowing up at the time).
After the initial "accumulation phase," where users could mint the $SDOG coin in an OHM-fork fashion by depositing the $MIM stablecoin, a buyback was scheduled to follow. The buyback was meant to be an opportunity for early buyers to cash out their $SDOG back into $MIM before the $SDOG supply was capped. This is where everything went to GoblinTown.
Immediately after the SDOG-MIM pool was established on TraderJoe, two frontrunners were able to dump massive bags of $SDOG at inflated valuations. The likelihood of these frontrunners being insiders began to rise after investigators uncovered several "conveniences" that hinted at inside knowledge. Still, the case remains in limbo, with some arguing that "game theory," and not maleficence, could have led to this conclusion.
4. StableMagnet
Amount Lost: $27M
Date: June 23, 2021
Chain: BNB Chain
Method: Drained Contracts & User Wallets
Promising high returns on stablecoins, StableMagnet attracted tens of millions in TVL before initiating a "novel rug method."
The team deployed a completely different library than the one in the source code because Etherscan/BSCscan explorers did not check the library source. Because of this, casual users received no warnings that the smart contracts were unverified.
This malicious code did not only drain funds within the protocol but also allowed the team to steal funds from user wallets.
The story does have a silver lining, as a whitehat hacker was able to track down the team through a combination of GitHub sleuthing and social engineering. This ultimately led to the arrests of some team members and the subsequent return of most stolen assets.
3. Paid Network
Amount Lost: $27M
Date: March 5, 2021
Chain: Ethereum
Method: Infinite Mint & Dump
The most infuriating rugs are often the ones that take advantage of newcomers to the digital asset ecosystem. When a project is run by a self-proclaimed "master disruptor crypto OG" YouTuber and proceeds to rug, we as an industry need to do better job calling out these figures.
The vulnerability was reported early on, with the contract owner having free reign to mint additional tokens. @WARONRUGS (account since deleted) noted this obvious vulnerability.
On March 5, the deployer wallet for $PAID transferred ownership to another (attacker) wallet, which subsequently minted $37M worth of the token. The attacker wallet then dumped these freshly minted tokens into the Uniswap pool, instantly crashing the price. While the team argues that poor key management led to the loss, others counter that "mint" exploits generally boil down to inside jobs.
2. Meerkat Finance
Amount Lost: $32M
Date: March 4, 2021
Chain: BNB Chain
Method: Drained Contracts
A day before the Paid Network fiasco, the nascent BNB Chain ("Binance Smart Chain" at the time) experienced its first major exploit with Meerkat Finance. Similar to other rug pulls mentioned, a dev was able to upgrade vault contracts to drain user funds – making off with almost $32M in $BNB and $BUSD.
Being early in the days of BSC, there were talks about the possibility of Binance manually rolling back the chain – reverting to an earlier timestamp and returning the stolen funds to users. In Meerkat Finance's Telegram, affected users were torn on how Binance should respond.
1. AnubisDAO
Amount Lost: $60M
Date: October 29, 2021
Chain: Ethereum
Method: Drained Contracts
What do you get when you combine a dog coin with an OHM fork? Well, it's a complete mess, as it turns out. Coming in at number one on DefiLlama's list with a whopping $60M in stolen funds is AnubisDAO.
Following a massive initial bonding, it appears that a single dev was able to drain the approximately $60M in ether from the project's liquidity pool. Shortly after, the project's Twitter account went silent, leaving investors in limbo. Eight months later, hopes of recovering funds were all but quashed with the exploiter routing the stolen assets through Tornado Cash.
Where do we go from here?
Let's start with some good news after that depressing data - of all rug pulls examined, the vast majority of funds were lost before 2022. In fact, about 84% of the funds in the Top 10 list were lost in just 2021, coming down from the highs of DeFi Summer.
What does this teach us? In general, auditing firms have learned (the hard way) that they must quickly adapt to maintain a good reputation. Also, community members who have been burnt in the past are quicker to dive into the code and identify shady teams at a much higher hit rate.
DeFi's anti-fragility in the face of lackluster safeguards and bad actors has hardened it, pushing it to course correct over time.
Will we ever see the day when anon teams cease to make off with ill-gotten gains? Unlikely. Where there is money to be made, bad actors will always test the boundaries. But are we heading in the right direction? Absolutely.
Action steps
- 🔐 Stay Protected: Read our 10 Steps for Crypto Security
- 💳 Don't Lose Your Keys: How to Prevent Crypto Wallet Hacks