Not long ago, the Non-Fungible Token (NFT) and metaverse frenzy made the crypto industry appear to be all cheese and champagne. Then, in the first half of 2022, the digital assets market fell prey to a series of crypto rug pulls and hacks.
But what are rug pulls and hacks exactly? How different are they, and what can you do to stay safe?
Rugpulls vs. Hacks: The basic difference
As you know, transactions usually involve two parties—the producer and the consumer. When the producers themselves end up stealing from the consumer, metaphorically pulling the rug from under their feet, it is referred to as a rug pull or scam. On the other hand, if a third party attempts to steal from both parties, it is known as a hack, attack, or exploit.
Let’s take an example. If one fine morning, the bank decides to make a run with the customers’ funds, it will be marked as a scam—or a rug pull in crypto parlance. But in the case of a bank robbery, the robbers are the third party. They leave both the customer and the bank without money. That’s a hack.
What is a crypto rug pull?
With crypto rug pulls, developers cause the people who place their trust in their project to lose money. The developers of such projects are a lot like antiheroes—“good” guys who turn out to be bad eggs. However, rug pulls are categorized into two types.
Hard Rugpulls: This kind of rug pull is what most people are familiar with, and we focus on it in this article. They are well-planned; the trust of the community is secured primarily with the intention of stealing from them.
Soft Rugpulls: When tokens are devalued tokens because the developers are desperate and decide to dump their crypto assets overnight as a result of their desperation, it is called a soft rug pull. While such pumping-and-dumping is viewed as unethical, it may not be considered a criminal act.
According to a Chainalysis report, scamming revenue rose 82% in 2021, to $7.8 billion worth of crypto. The firm noted that over $2.8 billion of this total came from rug pulls.
Two domains in crypto—NFTs and Decentralized Finance (DeFi)—have witnessed the rug pulls of recent times.
NFT rug pulls
Rupulls in the NFT space do, unfortunately, affect some of the very projects that are considered to be safest—blue-chip projects. Blue-chip status is like a blue tick on Instagram or Twitter. People use it to check the trustworthiness of a project.
Blue-chip projects are seen as sustainable long-term investments, and that is precisely what rug-pulling developers take advantage of. Properties of such projects are first cloned. Then, sometime after the primary sale, the founders abandon the project, making away with members’ funds.
In November 2021, for instance, the users of a project inspired by the Squid Game TV show fell prey to one such scam.
The chart above captures native token SQUID’s sudden and phenomenal surge by close to 2,400% in a 24-hour window and subsequent by a drop to zero after the developers disappeared with member funds. A wave of NFT rug pulls followed soon after.
DeFi rug pulls
With rug pulls in the DeFi space, the developers of a project drain funds from the liquidity pool and disappear, sending the token’s value to zero.
A recent DeFi scam involved Blur Finance, a yield aggregator operating on BNB Chain and Polygon. However, earlier this year, the project was suddenly abandoned, and all its social media channels were deleted. According to security firm PeckShield, over $600,000 worth of tokens vanished in the process.
What are crypto hacks?
Crypto hacks take place when external entities steal from crypto platforms, businesses, or individual retail investors. A hacker can steal crypto in a much larger variety of ways, some of which we will discuss below.
In cyberattacks, hackers use malware, phishing, ransomware, denial of service, and other external virus-based attacks to disable a crypto platform’s systems and steal data. They may also use the breached platform as a launch point for other attacks.
One of the most prominent examples involves North Korea. At the start of 2022, news of North Korea launching cyberattacks on crypto exchanges broke. The stolen crypto was said to have been used to fund the nation’s nuclear and ballistic missile programs.
Along with cyberattacks, DeFi hacks also caught the spotlight. Defi protocols account for nearly 97% of all crypto stolen in the first three months of 2022, according to the aforementioned report from Chainalysis.
DeFi attacks could be divided into two categories—flash loan attacks and code exploits. The chart below, which draws on the Chainanalysis data, should give you a fair idea about the prevalence of each of these attacks.
Now, let’s see what each of these types means.
1. Code exploits
If a hacker finds a bug, a.k.a. a software vulnerability, or flaw in the security systems of a DeFi protocol, they could exploit that knowledge to steal from users and the protocol. Such an attack is known as a code exploit.
A recent example is the one on cross-chain token bridge Nomad, which drained the network of nearly $200 million.
Cross-chain bridges basically help users send and receive tokens across blockchains. These bridges lock tokens in a smart contract on one chain and then send them in this “wrapped” form to the other.
In Nomad’s case, due to an update, the smart contract that was being used to deposit their tokens was compromised, rendering the wrapped tokens worthless. A new report from Coinbase shows that 88% of the hackers in this case simply copied the key attacker’s code to execute their own attack.
2. Flash loan attacks
A flash loan attack happens when hackers exploit flash loans. These attacks are much more complicated than code exploits. They require extensive planning to pull off successfully.
Let’s look at an example that will help you understand how extensive these scams can be. Earlier this year, a bunch of attackers managed to collect an airdrop meant for owners of two premium NFT projects, BAYC and MAYC. How did they manage to pull this off?
First, the attackers bought themselves an Ape NFT via the NFT marketplace, OpenSea. Then, they used this purchase as collateral to initiate a flash loan. The loan enabled them to gain access to five BAYC NFTs secured in a vault. The hackers then claimed the airdropped APE token with the five borrowed BAYC NFTs.
The airdrop developers had not anticipated that NFTs borrowed through a flash loan could be used in this manner. They had not ensured that those making claims with this kind of temporary “ownership” could be weeded out. The hackers had managed to identify and exploit this loophole.
How can you protect yourself?
Security-related threats are inevitable in most industries, but ours is seen as particularly vulnerable. Not falling prey to FOMO (the fear of missing out) helps, but DYOR helps even more.
You should always do the following:
- Verify the credibility of project developers. Ask “Do the founders have substantial proof of work in the crypto industry? What is their track record?
- Check the total value locked (TVL) in the project. Ensure that the figure is between 80% and 100%. Protocols with no liquidity lock on the token supply essentially allow the creators to run away with the liquidity, including your money.
- Look for sudden or massive price hikes in new DeFi coins. If in doubt, use a block explorer—a web application that provides crypto transaction-related data, including addresses and fees, about blockchains—to make decisions.
To sum it up, “Don’t trust, verify.”