Plato Data Intelligence.
Vertical Search & Ai.

How Auditors Detect DeFi Rug Pull Scam: Can You Do It Yourself?


Hackers stole more cryptocurrency from decentralized finance (DeFi) platforms than ever before in 2022. Nearly 98% of all tokens launched on DeFi’s flagman DEX Uniswap were identified as rug pulls.

The latest one, Defrost Finance, came as a Christmas nightmare for crypto investors, wiping out $12 million of their money. 

Most hacks on DeFi platforms happen through security breaches and code exploits. Projects that end up being rug pull scams have serious security issues that have been let slip or, maybe, undetected on purpose. To prevent similar risks DeFi security audits are critical.

Find out more about these audits, how they are conducted and whether it is possible to run a DeFi audit by yourself. 

What is DeFi Security Audit?

DeFi projects are implemented as complex, self-executing smart contracts, often transparent and open-source. They act as legal agreements between two parties. And since no centralized entity is behind it, even a small bug in smart contracts might lead to irreversible consequences.

This means that there should be no room for errors in smart contracts. DeFi smart contract security audits are meant to ensure that.

Security audits examine the code of smart contracts and how it grounds contracts’ terms and conditions. The detailed analysis searches for potential security flaws, violations and system bugs in the code, so it cannot be exploited. 

Security audits, usually conducted by third parties, are vital to ensuring the security, credibility of projects and maintaining a healthy ecosystem of DeFi.

How Can Scammers Exploit Smart Contracts and Rug Pull?

Rug pull is a type of exit scam that operates in a simple model: developers create a legit-looking DeFi protocol, run and promote it until the project attracts enough liquidity, then pull out the funds and disappear. 

Well, not always. Occasionally, rug pull scammers blame hackers for stealing liquidity and stay in business until the next time.

To implement an attack, scammers embed malicious code into the smart contracts. They modify them to prevent investors from selling: set the max (100%) selling fee, blacklist token owners, and lock users’ money into a contract.

Some smart contracts involve coding a malicious “back door” into them, which allows developers to withdraw the liquidity.  

Most of the time, modified smart contracts are not verified by security auditors and are hidden from the public eye. Since most on-chain contracts are publicly available, a lack of transparency on GitHub might be a red flag. 

How to Check if DeFi’s Smart Contract is Safe

The blockchain and smart contract industry is still relatively young, and so is the smart contracts audit sector. Numerous firms specialize in smart contract security audits, develop their tools and shape their know-how. 

Smart contract security industry standards and best practices are evolving. Despite that, some pretty standard audit methods are used by DeFi audit industry players.

Typically their investigations begin with the smart contract evaluation. The auditor analyzes the whitepaper, business logic, and technical specification of DeFi protocol to estimate potential risks and security features.

Then they shift their attention to the code of the smart contract. This is when code review and analysis start. 

Auditors inspect code line by line, looking for vulnerabilities of different levels: critical ones, which can result in liquidity leak; medium-level, which could partially damage the smart contract; and low-level issues, which affect the contract’s security the least.

They deploy a number of audit techniques, including automated and manual analysis. Both have their pros and cons.

Automated security audit means scanning the code with automated analysis software, which searches for bugs against the database of known vulnerabilities and identifies their precise location in the code.

The software-based audit is typically conducted before the manual analysis to detect errors that humans might overlook. It is faster and less time-consuming, but at the same time may not always be aware of the context and miss certain vulnerabilities. 

Manual code analysis is called a  king in smart contract auditing and is the most critical part of a comprehensive and accurate smart code security audit. It is conducted by at least two separate experts that inspect the code line by line.

The goal is to verify that every detail in the project’s specification is implemented into the smart contract and that nothing violates its originally intended behavior. 

The auditors scrutinize for unintended, unexpected behavior, crucial security issues, and vulnerabilities like re-entrance, data manipulations, flash loans, and other manipulations that might be implemented while the smart contract interacts with others.

In addition to that, manual audits run simulations to evaluate how well does DeFi project’s smart contract respond to unidentified threats and how capable it is to defend itself against them. 

Within the final part of manual code analysis, the auditor compares the smart contract’s logic with its description in the project’s whitepaper. 

Once all vulnerabilities have been identified and fixed, the auditors run a double-check process to ensure the smart code runs as expected.

Finally, after the security audit is completed, the auditors prepare a comprehensive report. This is where they provide detailed feedback on what they discovered. Typically their report comes with recommendations on how detected code weaknesses can be fixed to mitigate the project’s security. 

What Determines that Smart Contract Audit is Professional?

Smart contracts are a relatively new innovation. Their security standards are yet evolving accordingly. This means no golden rule guarantees a full smart contract safety.

Moreover, not all smart contract auditing firms are the same, and not all audits guarantee safety. Auditors may have different skill levels, different goals, and different costs.

Not to mention that the market is full of sketchy developers that forge the fact of being audited and benefit from the name of a respectable company. This is what happened to Peckshield, a blockchain security and data analytics company, more than a year ago:

Situations like this are quite common in the cryptocurrency space. They take the name of a legit and respectable auditor and put it into their whitepaper, saying that their protocol was audited.

The only way to avoid cases like this is to check for confirmation on the auditor’s original channels. If there is none, chances are that the auditor’s name has been simply stolen. 

Always check its client portfolio to evaluate if the auditor is solid and reputable. Google the cases to verify their experience records, and check if any of the audited projects have suffered the rug pull or other attacks.

Can One Conduct Code Audit Himself?

With so many hacks and rug pulls in crypto space, it’s naive to imagine that DeFi projects are safe without being inspected. Smart contract audits provide a critical layer of safety. 

However, even the most professional ones do not guarantee that DeFi project is absolutely bug-free. Smart contracts are complex. They require detailed and comprehensive analysis, expertise, tools, and, most importantly, more than one pair of eyes.


Latest Intelligence