- Topic1/3
12k Popularity
12k Popularity
18k Popularity
5k Popularity
16k Popularity
- Pin
- #Gate 2025 Semi-Year Community Gala# voting is in progress! 🔥
Gate Square TOP 40 Creator Leaderboard is out
🙌 Vote to support your favorite creators: www.gate.com/activities/community-vote
Earn Votes by completing daily [Square] tasks. 30 delivered Votes = 1 lucky draw chance!
🎁 Win prizes like iPhone 16 Pro Max, Golden Bull Sculpture, Futures Voucher, and hot tokens.
The more you support, the higher your chances!
Vote to support creators now and win big!
https://www.gate.com/announcements/article/45974
- 🎉 Hey Gate Square friends! Non-stop perks and endless excitement—our hottest posting reward events are ongoing now! The more you post, the more you win. Don’t miss your exclusive goodies! 🚀
1️⃣ #ETH Hits 4800# | Market Analysis & Prediction: Boldly share your ETH predictions to showcase your insights! 10 lucky users will split a 0.1 ETH prize!
Details 👉 https://www.gate.com/post/status/12322612
2️⃣ #Creator Campaign Phase 2# |ZKWASM Topic: Share original content about ZKWASM or its trading activity on X or Gate Square to win a share of 4,000 ZKWASM!
Details 👉 https://www.gate.com/post/st
Nearly half of the new tokens are suspected of fraud: A deep analysis of the $800 million Rug Pull case in the Ethereum ecosystem.
Unveiling the Chaos of Ethereum Token Ecosystem: An In-Depth Investigation of Rug Pull Cases
Introduction
In the Web3 world, new tokens are constantly emerging. Have you ever wondered how many new tokens are issued every day? Are these new tokens safe?
These concerns are not unfounded. In the past few months, a security team has captured a large number of Rug Pull transaction cases. Notably, all the tokens involved in these cases are newly launched tokens that have just gone on-chain.
Subsequently, the security team conducted an in-depth investigation into these Rug Pull cases and discovered the existence of organized criminal groups behind them, summarizing the patterned characteristics of these scams. Through a thorough analysis of the methods used by these groups, a possible scam promotion channel for Rug Pull groups was identified: Telegram groups. These groups leverage the "New Token Tracer" feature in certain groups to attract users to purchase scam Tokens and ultimately profit through Rug Pull.
The security team has compiled the token push information from these Telegram groups from November 2023 to early August 2024 and found a total of 93,930 new tokens pushed, of which 46,526 tokens are related to Rug Pulls, accounting for as high as 49.53%. According to statistics, the total investment cost behind these Rug Pull tokens by the gang is 149,813.72 ETH, and they profited 282,699.96 ETH with a return rate as high as 188.7%, equivalent to about 800 million USD.
To assess the proportion of new tokens pushed by Telegram groups on the Ethereum mainnet, the security team compiled data on new token issuances on the Ethereum mainnet during the same time period. The data shows that a total of 100,260 new tokens were issued during this period, with tokens pushed through Telegram groups accounting for 89.99% of the mainnet. On average, about 370 new tokens are born each day, far exceeding reasonable expectations. After an in-depth investigation, the truth discovered is disturbing—at least 48,265 tokens are involved in Rug Pull scams, accounting for as much as 48.14%. In other words, almost one in every two new tokens on the Ethereum mainnet involves a scam.
In addition, more Rug Pull cases have been found in other blockchain networks. This means that not only the Ethereum mainnet, but the overall security situation of the new token ecosystem in Web3 is far more severe than expected. Therefore, this report hopes to help all Web3 members raise their awareness of prevention, remain vigilant in the face of the endless scams, and take necessary preventive measures in a timely manner to protect their asset security.
ERC-20 Token
Before we officially start this report, let's first understand some basic concepts.
ERC-20 tokens are one of the most common token standards on the blockchain today. It defines a set of specifications that allow tokens to be interoperable between different smart contracts and decentralized applications (dApp). The ERC-20 standard specifies the basic functions of tokens, such as transferring, checking balances, and authorizing third parties to manage tokens. Due to this standardized protocol, developers can more easily issue and manage tokens, simplifying the creation and use of tokens. In fact, any individual or organization can issue their own tokens based on the ERC-20 standard and raise startup funds for various financial projects through token presales. Because of the wide application of ERC-20 tokens, it has become the foundation for many ICOs and decentralized finance projects.
The USDT, PEPE, and DOGE we are familiar with are all ERC-20 tokens, and users can purchase these tokens through decentralized exchanges. However, certain scam groups may also issue malicious ERC-20 tokens with backdoor codes, list them on decentralized exchanges, and lure users into making purchases.
Typical Scam Cases of Rug Pull Tokens
Here, we borrow a case of a Rug Pull token scam to gain an in-depth understanding of the operational model of malicious token scams. First, it should be noted that a Rug Pull refers to the fraudulent act where the project team suddenly withdraws funds or abandons the project in a decentralized finance project, resulting in significant losses for investors. Rug Pull tokens are tokens specifically issued to carry out such fraudulent activities.
The Rug Pull tokens mentioned in this article are sometimes referred to as "Honey Pot( tokens" or "Exit Scam) tokens", but for the sake of consistency, we will refer to them as Rug Pull tokens in the following text.
( case
The attacker ) Rug Pull gang ### deployed the TOMMI Token using the Deployer address ( 0x4bAF ), then created a liquidity pool with 1.5 ETH and 100,000,000 TOMMI, and actively purchased TOMMI tokens through other addresses to fake the trading volume of the liquidity pool to attract users and on-chain new listing bots to buy TOMMI tokens. After a certain number of new listing bots were tricked, the attacker executed the Rug Pull using the Rug Puller address ( 0x43a9). The Rug Puller dumped 38,739,354 TOMMI tokens into the liquidity pool, exchanging it for about 3.95 ETH. The token source for the Rug Puller came from the malicious Approve authorization of the TOMMI token contract, which granted the approve permission for the liquidity pool to the Rug Puller when the TOMMI token contract was deployed, allowing the Rug Puller to directly withdraw TOMMI tokens from the liquidity pool and then perform the Rug Pull.
( related address
( related transactions
( Rug Pull process
The attacker charged 2.47309009 Ether to the Token Deployer)0x4bAF### through the exchange as starting funds for the Rug Pull.
Deployer creates TOMMI Token, pre-mining 100,000,000 Tokens and allocating them to itself.
The Deployer created a liquidity pool using 1.5 ETH and all pre-mined tokens, obtaining approximately 0.387 LP tokens.
The Token Deployer sends all LP Tokens to the 0 address for destruction. Since the TOMMI contract does not have a Mint function, the Token Deployer has theoretically lost the ability to Rug Pull. ( This is also one of the necessary conditions to attract new listing bots. Some new listing bots will assess whether the newly added Tokens in the pool pose a Rug Pull risk. The Deployer also sets the contract Owner to the 0 address to trick the fraud detection programs of the new listing bots ).
Attackers actively purchase TOMMI tokens from the liquidity pool using multiple addresses, inflating the trading volume of the pool, further attracting new bot participants (. The basis for determining that these addresses are disguised by attackers: The funds of the related addresses come from the historical fund transfer addresses of the Rug Pull gang ).
The attacker initiated a Rug Pull through the Rug Puller address (0x43A9), directly transferring 38,739,354 Tokens from the liquidity pool through the token's backdoor, and then used these Tokens to smash the pool, extracting about 3.95 Ether.
The attacker sends the funds obtained from the Rug Pull to the intermediary address 0xD921.
The transfer address 0xD921 sends funds to the fund retention address 0x2836. From here we can see that after a Rug Pull is completed, the Rug Puller will send the funds to a certain fund retention address. The fund retention address is a collection point for funds from numerous monitored Rug Pull cases, and it will split most of the received funds to initiate a new round of Rug Pull, while a small portion of the remaining funds will be withdrawn via exchanges. Several fund retention addresses have been identified, and 0x2836 is one of them.
( Rug Pull backdoor code
Although the attackers have attempted to prove to the outside world that they cannot perform a Rug Pull by destroying LP Tokens, in reality, they have left a malicious approve backdoor in the openTrading function of the TOMMI token contract. This backdoor allows the liquidity pool to approve the transfer of tokens to the Rug Puller address when creating the liquidity pool, enabling the Rug Puller address to directly transfer tokens from the liquidity pool.
The implementation of the openTrading function is shown in Figure 9. Its main function is to create a new liquidity pool, but the attacker called the backdoor function onInit) within this function, as shown in Figure 10, allowing uniswapV2Pair to approve the transfer of tokens with an amount of type###uint256( to the _chefAddress address. Here, uniswapV2Pair is the liquidity pool address, _chefAddress is the Rug Puller address, and _chefAddress was specified during the contract deployment, as shown in Figure 11.
![In-depth Investigation of Rug Pull Cases, Unveiling the Chaos in the Ethereum Token Ecosystem])https://img-cdn.gateio.im/webp-social/moments-e5f43d39fa77597ff8f872a1d98cd3ac.webp(
![In-depth Investigation of Rug Pull Cases, Revealing the Chaos in the Ethereum Token Ecosystem])https://img-cdn.gateio.im/webp-social/moments-ed67ee56316de1b6a3f2649e45ceeb82.webp(
![In-depth Investigation of Rug Pull Cases, Unveiling the Chaos in the Ethereum Token Ecosystem])https://img-cdn.gateio.im/webp-social/moments-21fdee332b94d46b0a63310dfa494de9.webp(
) Mode of operation
By analyzing the TOMMI case, we can summarize the following four characteristics:
The Deployer obtains funds through the exchange: The attacker first provides a source of funds for the deployer address (Deployer) through the exchange.
Deployer creates a liquidity pool and burns LP tokens: After creating the Rug Pull token, the deployer will immediately create a liquidity pool for it and burn the LP tokens to increase the project's credibility and attract more investors.
Rug Puller exchanges a large amount of Tokens for ETH in the liquidity pool: Rug Pull address ( Rug Puller ) uses a large amount of Tokens ### usually far exceeding the total supply of Tokens ( to exchange for ETH in the liquidity pool. In other cases, Rug Puller also obtains ETH from the pool by removing liquidity.
Rug Puller transfers the ETH obtained from the Rug Pull to the fund retention address: The Rug Puller will transfer the ETH obtained to the fund retention address, sometimes through