Attack Deep Dive: Hard RugPull

Article by Forta Network Jun. 29, 2023

Community Spotlight: This article was guest authored by security researcher Tamjid, a Forta community member and participant in Forta’s Threat Research Initiative (TRi).

Forta is a real-time detection network for security monitoring of blockchain activity. The decentralized Forta Network scans all transactions and block-by-block state changes, leveraging machine learning to detect threats and anomalies on wallets, DeFi, NFTs, bridges, governance and other Web3 systems. When issues are detected, Web3 infrastructure can respond to prevent attacks via transaction screening and incident response.

As the crypto market continues to soar, it has inadvertently attracted a certain breed of opportunists looking for a quick fortune. While the methods employed by these cyber fraudsters aren’t entirely novel (with Ponzi schemes laying the groundwork) the prevalence of the rugpull strategy is increasingly making its presence felt in the Web3 ecosystem. This phenomenon, largely driven by malicious smart contract codes and lack of investor awareness, leaves thousands of retail investors high and dry as soon as soon as they invest in the scheme

Understanding Rugpulls

In essence, a rugpull is a crypto scam where fraudsters deceive the public to gather funding, and subsequently abscond with investors’ digital tokens. This devious strategy typically involves the creation of a new crypto token, the artificial inflation of its value, and finally, the extraction of as much value as possible before the token’s price plummets to zero. Rugpulls can be broadly categorized into two types: Hard rugpulls and Soft rugpulls.

The dark underbelly of the cryptocurrency world is punctuated by the history of crypto rugpulls, with their origin tracing back to 2014 with the Bitcoin Savings and Trust Ponzi scheme. Trendon Shavers, the operator, was arrested for defrauding $80 million. From then on, rugpulls became an unfortunately regular occurrence, with some high-profile instances involving hefty losses. 

The trend of fraudulent activities escalated in 2021, with an estimated $7.7 billion stolen via rugpull scams, according to Solidus Labs’ 2022 study. This study revealed the shocking frequency of these scams, with around 350 fraudulent crypto tokens created daily. A report by Chainalysis further highlighted the scale of these scams, attributing over $2.8 billion of illicit activity in 2021 to crypto rugpulls, with 37% of all crypto-related scams occurring in the decentralized finance (DeFi) space.

What Constitutes a Hard Rugpull?

As compared to soft rugpulls that exclusively leverage social engineering tactics, hard rugpulls occur when developers intentionally place exploit functions to dupe investors. By embedding hidden elements into the contract, investors find themselves unable to perform any activities with their assets after investing in a project. Consequently, their funds are locked into the project, while the scammers gain full power to manipulate tokens.

This form of rugpull often happens when a project’s team abruptly withdraws the funds from a project after accumulating significant investment from their community. In such cases, the token value crashes to zero instantly, signaling to investors that they’ve been defrauded and that the creators have abandoned the project. Alternatively, developers might prolong their plans to maximize their ill-gotten gains.

A hard rugpull, can be further divided into two types: Liquidity stealing and Limiting sell orders.

Liquidity Stealing

This form of fraud involves the token creators extracting all the tokens deposited into a liquidity pool of a DEX. DeFi trading platforms necessitate a certain level of liquidity in crypto tokens to facilitate actions such as trades, exchanges, or loans, which are secured via smart contracts. However, this security measure can be easily breached by developers with malicious intent, granting them privileged access to the locked funds upon exit. As a result, the native token loses its value, crashing to zero while the attackers make off with the excess liquidity of the other token that was used as a means of exchange.

Limiting Sell Orders

A subtler tactic involves blocking or limiting a users’ ability to sell coins on a trading platform, which can be manipulated at any point. Once an exchange has attracted substantial traffic, fraudulent actors may modify a project’s code to allow traders only to buy into a platform. Meanwhile, the selling of the native token is disabled across all but malicious accounts, effectively channeling money into the wallets of corrupt developers.

Deciphering the Signs of a Hard Rugpull

In order to protect yourself from falling victim to a hard rugpull, there are several red flags to watch out for:

Hidden backdoors: hard rugpulls often involve malicious developers coding hidden backdoors into their tokens, which should be a key area of focus.

Rapidly depleted liquidity pool: If all the coins in the liquidity pool have been withdrawn quickly, this could be a sign of a rugpull.

Recent scams: Staying up-to-date with news and developments related to crypto scams can help protect you from falling victim to one in future investments.

Astronomical yields: While high yields are not unheard of in crypto, they rarely last more than a day or two at best. If it persists for too long, something’s suspicious.

Check the team behind the token: Legitimate cryptocurrency projects often have a team of developers and managers that are public about their identities and roles. Despite many incredible teams being anonymous, it can still be a potential red flag.

Read the white paper: Legitimate cryptocurrency projects often have a detailed white paper that outlines the problem they aim to solve, the technology behind their solution, and a roadmap for the future. If the white paper is not available, unclear, or lacks detail, it could be a cause for concern.

Investigate the community and social media presence: A strong, active community can be a positive sign for a cryptocurrency project. However, be aware that social media activity can be manipulated, so it’s not the only factor to consider.

Look for code audits and repository activity: If the project is open source, check for regular activity in their code repositories and look for independent audits of their code.

Evaluate the token’s use case: Does the token have a clear use case? Tokens with a clear use case or utility within their ecosystem are generally more legitimate than those without.

Check the token’s listing on reputable exchanges: While not a foolproof method, if a token is listed on reputable cryptocurrency exchanges, it may be more trustworthy.Check the token contract: Check if the token’s contract is verified and if it matches up with the team’s given contract list. Many hard rugpulls are impersonations a discrepancy will become clear when checking contract addresses.

Use security tools: Real-time threat intelligence can be crucial in protecting users from scams. Services that utilize Forta’s threat intelligence like Blockfence, or Zengo wallet can help in assessing the risk associated with a particular address or token​​.

Remember, investing in cryptocurrencies involves risk, and it’s important to only invest what you can afford to lose. It’s always advisable to do your own research before investing, taking account of the above and other end user attack methods. It is also worth noting that sophisticated scammers are aware of these red flags, and will attempt to satisfy or impersonate the above requirements.

Case Study: Ordinals Finance Hard RugPull

The recent scam by Ordinals Finance is worth exploring as a classic hard rugpull scheme that reportedly resulted in a loss of over $1 million for users. This case study examines the tactics used by Ordinals Finance to execute their scheme. As you read through the case study, keep in mind the above hard rugpull red flags and think about how each corresponds to the given scam.

1. The Scheme and Resulting Loss

Ordinals Finance, a DeFi project on the Binance Smart Chain (BSC), initially portrayed itself as an innovative investment opportunity. However, this facade was a carefully engineered deception designed to attract and defraud investors. The scheme involved the creation of a token with an ostensibly unique tokenomics model, which included promising high rewards for holders in the form of BUSD (Binance USD).

However, this promise of high returns proved to be a mirage. The project turned out to be a hard rugpull, a type of scam where the developers abruptly withdraw all the liquidity, rendering the token worthless. The fallout of this scam was substantial, with investors reportedly losing over $1 million.

In a clear sign of a hard rugpull, liquidity was stolen when the owner of the contract called the safutoken function to remove 256M of OFI. Subsequently, the scammer swapped all assets to native tokens and sent all scammed proceeds to a separate EOA that drained the funds via tornado cash.

2. Dissecting the Tokenomics

The tokenomics of Ordinals Finance was a key part of its scam strategy. It imposed a 12% tax on every transaction, which was ostensibly redistributed to holders and used to add liquidity to the PancakeSwap pool. While this model may have appeared to incentivize holding the token and stabilizing its price, it was a smokescreen for the impending rugpull.

3. Red Flags and Warning Signs

Several red flags were apparent in the Ordinals Finance project. First, the promise of regular high rewards is often a warning sign of potential scams, as it’s not clear how these rewards are sustainable over the long term.

Second, the anonymity of the team behind Ordinals Finance raises concerns about accountability and transparency. Reliable projects typically provide details about their team to show their credibility and commitment.

Third, although Ordinals Finance claimed to have a TechRate audit, this could not be independently verified. Even if it had been audited, it’s important to note that an audit mainly assesses the technical aspects of the code, not the team’s intentions or the project’s overall legitimacy.


The case of Ordinals Finance serves as a stark reminder of the risks involved in the cryptocurrency space. The project’s sophisticated scheme resulted in significant losses for investors. This case underscores the importance of thorough due diligence and a healthy degree of skepticism when dealing with cryptocurrency projects, especially those promising high returns. An appendix detailing the Forta alerts providing early warning signs and rugpull confirmation can be found here.

To protect oneself from hard rugpulls, users should check Forta threat intelligence before interacting with an unknown or suspicious EOA/contract. This can be done by pasting the EOA into the linked query via the Forta Explorer. Alternatively, one can also use a security plugin or wallet, like Blockfence or Zengo wallet, which integrate with Forta’s threat intelligence natively. An appendix referencing