Security Research

What’s the Deal with Rake Tokens?

November 7, 2023

Forta is the largest network of security intel in Web3. The decentralized Forta Network leverages machine learning to detect exploits, scams and other threats.       

You might have heard the term “rake token” floating around in Web3 security circles, but what exactly does it mean? Rake tokens are defined as a token that is aiming to exploit market conditions for its malicious creator by crafting tokens with high fees on transfers and trades, these actors set a snare for the unwary. Thus the owner of the contract receives a ‘rake’ of all transfers, earning undeserved revenue from unsuspecting users in perpetuity. 

The modus operandi involves the creation of a new liquidity pool on decentralized exchanges like Uniswap. They might utilize the UniswapV2Factory's `createPair` function to establish a new trading pair between the rake token and another cryptocurrency, such as WETH. Following this, the UniswapV2Router02 interface is employed to conduct token swaps and add liquidity to the pool, laying the groundwork for their scheme.

The scam generally unfolds when these actors seek to exploit unsuspecting investors or capitalize on market hype. They create the token, provide initial liquidity, and then promote it aggressively to attract buyers earning undue revenue on every trade and transfer. Once the token gains traction, malicious actors might also execute a rug pull to further exploit the situation and profit at the expense of other investors.

Here’s a breakdown of the attack:

1. Creation of a new token contract with hardcoded high fees on transfers and trades.

2. Use of the `createPair` function from UniswapV2Factory to create a new trading pair for the token (e.g., RAKE/WETH).

3. Utilization of the UniswapV2Router02 interface to swap tokens and enhance the liquidity pool.

4. Promotion of the token to attract buyers and increase its value.

5. Receive ongoing revenue from the high fees on transfers and trades of the token

5. Execution of malicious actions like "rug pulls" or market manipulation to profit from unsuspecting buyers.

The success of this malicious endeavor relies on creating hype around the new token and attracting investors who might not be cognizant of the underlying risks. 

At Forta, shedding light on such risky endeavors is part of the mission to ensure a more secure decentralized ecosystem. To shield oneself from such attacks, it’s crucial to thoroughly evaluate new tokens, understand their utility, discover any hardcoded malicious functions, and assess the team behind them before investing.

Forta’s Scam Detector detects rake tokens with high precision alongside 15+ other scam types. The Scam Detector is already baked into several security solutions via API integration and projects can easily purchase access through the Forta App. Wallet users can also download Forta’s MetaMask Snap to achieve the same level of threat protection for free.

Share