Posted on January 24, 2022 at 9:25 PM

Checkpoint Researchers Warn Against Crypto “Rug Pull” Exit Scams

Security researchers at Checkpoint have revealed that threat actors are abusing misconfigurations in smart contracts to launch “rug pull” exit scams.

The researchers say the misconfiguration s providing opportunities for the threat actors to carry out cryptocurrency scams.

These token fraud instances include concealing backdoor routines and hiding 99% fee functions, according to the researchers.

Smart contracts are usually programs stored on the blockchain that are automatically executed when certain conditions are met. These contracts enable agreements and trustee transactions to be executed between different parties unanimously and without any need for a central authority.

A Similar Attacking Method Was Discovered Last Year 

The Checkpoint researchers explained in their report how the threat actors create fraudulent tokens by misfiguring smart contracts. They also explained the strategies the scammers are using to “rug pull” funds from unsuspecting victims. The researchers also gave some examples of the types of misconfigurations in smart contracts that can result in money heists.

The same research team has previously investigated cryptocurrency heists, and the latest finding has similarities with the previous results. In October last year, Checkpoint discovered the theft of crypto wallets on OpenSeo, the largest NFT marketplace in the world. 

A month later, they uncovered another phishing campaign where threat actors stole almost $500,000 worth of cryptocurrencies within days.

The crypto market is currently witnessing high volatility, with top assets like Bitcoin (BTC) and Ethereum (ETH) losing some ground in the market.

However, interest in cryptocurrencies and the NFT space remains high. While investors are still looking to hold on to their tokens in anticipation of another market surge, scammers are looking for ways to steal from them. These scammers have now been spotted by Checkpoint researchers paying more attention to smart contracts to steal new tokens before a “rug pull” takes place.

Flaws Can Also Be Exploited By External Hackers

The term “rug pull” is used to refer to an action taken by developers of a crypto asset to maneuver the perceived worth of the token before abandoning the project. This type of scam is common in the crypto and digital asset industry, with a recent example being the SQUID token. At a point, the token was valued at nearly $3,000 before it crashed suddenly, losing 99.9% of its value and rendering people’s investments worthless.

At the time the token reached its highest value, many investors tried to sell and cash out. But the developers rug pulled and prevented them from selling. The developers manipulated the token’s price and cashed out millions of dollars from investors’ funds.

The researchers also stated that developers of a cryptocurrency token are not the only group that can carry out contract code scams. They stated that vulnerabilities in smart contract code can be used by external threat actors to increase the possibility of a project losing investors’ funds.

The Attackers Can Use Different Techniques 

The scammers can use several strategies to carry out rug pull scams. They can utilize scam services to establish smart contracts before naming the new token and making it public. They can also manipulate functions to generate hidden triggers before launching a rug pull.

Once the token is created, the scammers can use social media networks to promote and hype the token as well as its perceived value. Once the fraudsters initiate an exit scam, they usually place timelocks, which are used to put delays on administrative actions. 

Another common technique used by scammers for rug pulls, according to Checkpoint, is the imposition of buy and sell fees. 

The researchers discovered both an “aprove” and “approve” function. The first is hidden and designed by developers to charge 99.9% as transactions fees after the project takes off. But the latter is a legitimate fee that is usually a tiny fraction of the transaction amount. 

“A legitimate token will not charge fees or will charge hardcoded values that can’t be adjusted by the developer,” Checkpoint says. 

The scammers also add a hidden function that enables the developers to have complete control over who can sell tokens or add more coins. The hidden transfer function prevents investors or traders from reselling their tokens when the price was inflated. 

In the latest development, the researchers discovered a function in a separate contract that could enable coin minting. In some instances, threat actors can be able to mint millions of virtual coins. Attackers can also use other methods, such as burning tokens to increase the price of existing pools, which occurred during the Zenon Network incident in 2021.