Nyacademy: Unrugged // Spotting Red Flags
There are probably more than 10 large scale scams over the past couple of weeks. DeFi is an interesting space but at the same time complex and rather dangerous.
With some basic knowledge of spotting red flags, one could potentially be safe from participating in potential ‘rug-pull’ projects. Not everyone knows how to read code or understand blockchain. Though there are quite a number of helpful people in the space trying to spot red flags and warning others, however, that is not quite effective as people still tend to jump into the bandwagon before doing some research on the project due to fear of missing out. One way better way, would be to equip people some basic knowledge in spotting the red flags.
What’s Nyacademy? It’s an initiative proposed by our Nyan Dev 🐱. The crypto industry moves too fast, projects get millions of dollars of investments within hours, but no one seems to sharing knowledge in this specific region: DeFi security (or ‘rug-pulls’), especially for the parts on code reading.
The Nyan Dev believes in collective knowledge. It doesn’t help much if only a few person knows how to spot the red flags. We can only reduce participations in ‘rug-pull’ projects if we work together. That way, we could warn each another and stay cautious.
In the first instalment of the ‘Unrugged’ series, we will take a general look at the DeFi ‘rug-pull’. In the future articles, we will go in-depth into specific projects which has been proven to be ‘rug-pulled’.
Scams happen is many different ways. Here’s to list just a few: site phishing, social engineering, economic exploits, malicious code etc. (and that’s not everything yet) Let’s start with a few simple ones.
Golden Rule: Trust no one, verify yourself.
Site phishing occurs when a fraudulent site pretends to be the real site. In most cases, they will have similar-looking URLs. This is especially common if you’re clicking to the site from social media platforms like Twitter or Facebook, or from the ‘promoted ADs’ when you search in Google. One way is prevent this is to always bookmark the actual site and visit it directly.
Also, always be wary of project names sharing similar names with popular authentic projects. New DeFi projects with such names are very likely to have ill-intention as they want to trick people into believing that they are the ‘real’ one.
If you’ve joined Telegram groups of crypto projects, chances are you’ve probably already met this. There would be random people offering you benefits that are too good to be true. There might also be people who try to impersonate the admins and trying to talk to you (with similar display photo and name). This is why many real admins always have this stated:
‘Admins will never PM you first’
So please do not find it weird when admins ask you to PM them first instead of them initiating the conversation first.
Everyone on the social media has their own agenda. People might promote certain projects because it benefits them in one way or another. So always do your own research.
This is the most complicated stun to pull off. This is by no means a bug in the code; in fact it means otherwise. We will not go in-depth into this topic because it is an entire universe of knowledge. This field of exploits is beyond what even code verification can minimally guarantee.
Here’s a few of the recent exploits to get a brief idea on what an economic exploit is:
If you find any red flags in any of the things mentioned above..
Be wary of participating in that particular project.
This it the part we want to spend more time on. While we can never have an exhaustive list of all the potential form of malicious code, we could however do a general and basic code check.
Here’s a few basic checks before even proceeding into verifying code.
Golden Rule: Nothing is final unless you’re looking at the deployed code
What do we mean by that? While having the smart contracts hosted publicly on Github is a form of code transparency. It does not represent the actual contract that is being deployed. What’s deployed to the blockchain might be different from the one that you see on Github. Here’s an example on the popular Uniswap token contract, which has been deployed.
The highlighted ‘minimumTimeBetweenMints’ value prevents the owner from minting too many tokens over a period of time. The above value is 365 days.
Anyone can upload anything to the Github and claim to work the same way. What if the project told you that you could mint any amount of tokens as many times as you want and showed you the contract code on Github as follows:
/// @notice Minimum time between mints
uint32 public constant minimumTimeBetweenMints = 1 days * 0;
If you find such discrepancies, it has a clear sign of red flag. Always remember that code on Github doesn’t represent the deployed contract. Always believe in the deployed contract.
A popular question is, ‘what if I can’t see the code on etherscan, it’s all gibberish’. Here’s an example:
If you see that, it means that the contract has not been verified at etherscan. What it really means is that etherscan cannot decode the deployed bytecodes into human-readable text. All legit projects will always verify their deployed contracts. If you see this and the project is already starting to claim investments..
Please avoid it, as this is a BIG red flag.
So how can we know which contract we’re interacting with? If you’re using MetaMask chrome extension on Google Chrome, you can find out the contract that you’re interacting with. When see a pop-up after doing certain actions (like clicking ‘deposit’ etc.), take a look at the address at the top-right corner. Click on it to copy it, and then go to etherscan to check out the contract.
As silly as it might sound, there have been scams which claims to be staking your tokens but are actually transferring your deposited tokens to their own address. Be vigilant.
Useful tools for checking of contracts:
Most DeFi projects tend to use code from the popular AMM, SushiSwap. You can check out the core contracts here: https://github.com/sushiswap/sushiswap/tree/master/contracts
For projects which claim to be a clone of something, remember to check how much was changed from the original contracts. Here’s a useful tool to check code differences: https://www.diffchecker.com
It doesn’t mean that a project is ‘rug-proof’ if no above mentioned red-flags were found. This is by no means a list of every red-flags ever; just the obvious ones.
Always do you own research!!
This has been revised to keep it more light-hearted (less technical). We invite developers from all projects to join our movement in knowledge sharing.
Moving on, we would go a little more in-depth into specific codebases. Which project would you like us to take a look at?
Oh, if you ever find some projects with red flags, do post this image to warn others because Nyan Dev says so:
Stay safe, and do not invest in what you cannot afford to lose nya~
— Nyan Dev
Follow us on Twitter and Telegram for the latest updates.