Tutorials

How To Spot a Potential RUG — Clear signs something is sketchy

Let’s talk about how to spot a potential rug.

Rugs… too many in just a short period of time.

Well, people got experience from other blockchains and came on BSC for quick cash as it should’ve been expected.

The number of rugs has slowed down a bit in the last couple of days, but is it over? No, and rugs will never stop appearing.

But can we learn how to spot sketchy aspects of a project?

Yes! And that’s what we’re going to be discussing today.

I will try to explain in great detail the points I made clear in the tweet above, along with others that I deem necessary.

Okay, I’m taking too long, here is a table of contents:

Short List of What I Look For

When it comes to a new project I have a list in mind of what I should look for. I’ll first give you the list here and then we can discuss each one in particular.

  • Careless and rushed developers
  • Overall appearance
  • Social Media Management and Appearance
  • Social Media Proof
  • Intrusive marketing
  • Contracts

Keep in mind that those are just potential red flags that should alarm you, but that doesn’t mean the project is 100% safe or a scam. I'll explain the point above in the "The most important thing" part.

Careless and rushed developers

This will be the first red flag I’m going to be discussing today.

Rushed projects

Rushed projects appear overnight and in less than 12 hours (most of the time) they have:

  • A website done
  • The farms live
  • Thousands of followers
  • An airdrop/giveaway with somehow thousands of likes/retweets

I also notice that the domains are registered just hours before launch, a major red flag for me, since it obviously takes more time to prepare a great project, but it only takes a few hours to fork an existing one.

How to check when a domain was registered

This one is easy.

Image for post
Example of domain registration date.

Just go to whois.domaintools.com, paste the link in the search bar, and then scroll down to “dates” to check how old a domain is.

Careless developers

Here we’ll have to check the contracts.

Most often than not fly-by projects don’t even edit their forked contracts properly, leaving clues that the project is rushed and the developers are careless.

Image for post
Example of a careless and rushed developer.

The example above is taken from the infamous WineSwap rug-pull, where the MasterChef contract wasn’t even fully edited and the developers left in the main names of the Sushi functions.

A major red flag for me.

Overall appearance

Maybe the first thing that comes to mind to most people is to check contracts, but I like to do that as the last task.

Why?

Checking how the overall website looks gives me an idea about how much the developers have actually worked on the project before release.

Here I can even decide if it is worth investing in the project or not.

I tend to take a brief look around the website, mainly checking for:

  • Overall UX/UI
  • Information/Links to information
  • Uniqueness (yeah, I know, I’m cherry-picking at this point)

What I consider red flags when it comes to the overall design of a website

Let’s take this random project I found on Twitter as an example.

Image for post
A brief look at phoinikas.finance

I’ve found this project on Twitter after I was tagged by CryptoDeus in a post related to it, where he makes clear his concerns about it and warns people it might not be that safe to enter.

I’ll be honest with you, after checking out the website I feel the need to wash my hands…

Here are some immediate red flags I see:

  • The website is just a rushed fork of SushiSwap.
  • The whole design seems to be made in a few minutes, without even trying to make it look good.
  • There is no link to their MasterContract anywhere in sight.
  • The “Lending” and “Insurance” buttons only display a “coming soon” message, without any info about them anywhere.
  • A quick check on their Medium (which is linked at the bottom of the page) even confirms that the project is rushed, no story ever being written on their account.
  • I’m not even gonna talk about the logo which is a pure joke.

Image for post
This must be a joke.

I’ll rate the website appearance 1/10.

It isn’t mainly about it looking bad, but more about the fact that it is clearly rushed, and when you rush something you’re clearly only looking for the end-goal, ignoring the path along the way.

Not a good sign in my book.

Social Media Management and Appearance

In this step, we’ll take a look at how social media is handled by the team.

Because I like to be extra-careful and cherry-pick the projects I join I’ll also take a look at the overall appearance.

What I’m looking for:

  • Medium-high social media activity.
  • A flood of information about the project.
  • Great appearance (not a necessity, but a nice thing to see).

Let’s compare one of the first tweets of PancakeSwap to the first tweets of “Phoinikas”.

Image for post
One of the first tweets of PancakeSwap.

You can see:

  • Great branding.
  • Clear information.
  • Hashtags for organic reach.
  • A link to their first-ever Medium article that gives lots of information about the project.

Overall a nice tweet. I like it.

Now let’s take a look at the first tweets of “Phoinikas”.

Image for post
The first two tweets of Phoinikas

You can see:

  • Awful branding using only images found on the first page of Google Images (that are 300x300 pixels I might as well add).
  • Absolutely no information about the project.
  • No link to a Medium article explaining what the project is all about.
  • An airdrop of their token which at that time had absolutely no use-case and not even a website.
  • Inconsistency and small grammatical errors (again, I’m cherry-picking, I’m aware of that).

Horrible tweets.

Also, the airdrop (at least for me) is kinda sketchy. Trying to market the project even before it is released.

Airdrops are a common thing projects do, especially new ones. But for me it can be a red flag. I'd like to encourage you to form your own opinion about everything. You have to decide what is a red flag for you and what isn't.

I also took a look around their Telegram group.

Tons of questions that were not responded to, some people were even asking “when rug?” and people that sent their wallet addresses (for the airdrop) were being banned.

I’ll rate the social media management and appearance 1/10.

Social Media Proof — Fake or real?

Here comes my favorite thing, social media proof.

When it comes to a new project I can forgive the not-so-appealing website appearance and maybe try to not be too harsh on the social media management, but I’ll never forgive fake social media proof (fake likes, fake followers, fake Telegram members, etc).

Buying Twitter followers and Telegram members is extremely cheap, especially if you buy directly from providers and not from resellers (Not gonna teach you how, don’t even ask. Never buy fake social proof, it only hurts your growth).

Image for post
The prices from the providers.

As you can see, you can buy 5,000 Twitter followers and 5,000 Telegram members for a whopping $20.30 USD.

Never fall into the trap of fake social proof.

How to spot fake social proof.

Let’s first learn how a fake Twitter account (a bot) looks like.

Disclaimer: The ones below are the usual bots you'll see and in terms of fake accounts sellers rate them as "low-quality". There are other types of fake accounts that entirely copy one's social media profile, only changing the username. Those are rated "high-quality" and harder to spot.

How to spot fake Twitter followers

Fake accounts are easy to spot, especially the really cheap ones as stated in the disclaimer above.

Image for post
Examples of fake accounts.

The cheap accounts are clearly bot accounts and easy to spot on their own, look for:

  • Non-custom names (having the same name as their username).
  • A lot of numbers for uniqueness.
  • No description, info.
  • No photo, fake photo of another person (usually women), or photos of random objects.
  • Their tweets are nonsensical or they just retweet random things (you can even find the past clients while checking out a bot’s account).

 

How to spot fake Telegram members

Fake Telegram members are also semi-easy to spot.

Image for post
Example of fake Telegram accounts.

As you can see there is a similarity here:

  • Many numbers in the username
  • Clearly fake photos
  • Trying to impersonate women (usually)

Let’s also see an example from WineSwap’s Telegram group.

Image for post
Example from WineSwap Telegram group.

These are higher quality.

In the example above you can see that after mass-joining the fake accounts only typed “hi” and “hello”, clearly not natural.

But, what makes spotting fake social media proof extremely easy is checking the followers list as a whole.

It is easier to see batches of fake accounts rather than trying to pick them individually.

Let me show you.

Let’s take a look at Phoinikas.Finance’s social media.

Image for post

Seems like they have 1,796 Twitter followers and 1,841 Telegram members.

Okay, it doesn’t seem like much, does it? Well, it kinda is if you ask me, but not as much to raise immediate red flags.

WineSwap raised so many red flags at first because in their first day they had over 5,000 followers on Twitter and over 5,000 Telegram members.

But, let’s check them as a whole, should we?

First, Twitter!

Let’s take a quick look at the accounts that follow Phoinikas.Finance on Twitter.

Image for post
Accounts that follow that project.

Okay… well, I think that’s obvious enough and doesn’t need to be explained.

Let’s check who liked their posts, those must be real people!

Image for post
Accounts that liked their posts.

Okay… there is still hope on their Telegram!

Secondly, Telegram!

Please be real people…

Image for post
The members on their Telegram group.

I think I just lost faith in humanity at this point.

I need to do something real quick…

I’ll be right back

Image for post

I’m back, had to wash my hands a second time.

It is extremely obvious that the project bought fake Twitter followers, likes, and Telegram members.

Also, you can see a discrepancy when it comes to the engagement on their Twitter posts.

Image for post

  • Post #1 has: 1 comment, 4 retweets, and 19 likes.
  • Post #2 has: 2 comments, 12 retweets, and 35 likes.
  • Post #3 has: 2,300 comments, 2,600 retweets, and 2,300 likes.
  • Post #4 has: 3 comments, 5 retweets, and 21 likes.

There is a clear discrepancy between the engagement the giveaway had and their other posts. Yes, a giveaway is supposed to get more engagement, but not that much.

Tip: If a random project that's one or two days old already has thousands of followers it should immediately be a red flag for you and you should start looking into it.

Anyway, at this point, I think it is clear that the above project bought some fake stuff to make it look more legitimate.

Let’s move on to other things you should look for.

                                                                        . . .

Well…

I just came back home, looking forward to continuing writing the article only to see that the website “phoinikas.finance” now redirects to a clone of “turing.finance” (whatever that project is) and that they rugged.

Imagine rugging while an article about “how to spot a potential rug” is using you as an example of a potential rug.

Man, this world is wild.

Intrusive Marketing

This one is a bit harder to come through, but I felt like including it here.

Intrusive marketing is when projects use bots and/or fake accounts to “spread the word” about a project on Twitter on random people’s posts and/or tag a massive amount of people in a project’s post.

Let’s take both situations at a time.

“Spreading the word” using bots/fake accounts

Image for post
Example from WineSwap’s strategy.

As you can see in the picture above this fake account is trying to silently shill WineSwap in CryptoBethany’s posts.

This is a silent way of making people aware that the project exists, and believe it or not many people ape into random projects on Twitter, so this strategy is working.

Tip: If you see a new project being shilled on Twitter, first check the accounts that are shilling it. Try and find out if they're fake/bots or not.

Mass tagging using bots

Image for post
Example of mass tagging, also from WineSwap’s strategy.

Mass tagging is quite straight forward. Just a bot tagging random people in the replies of the project’s posts.

You can’t really save yourself from being tagged by bots as they tag people that follow another project or people that liked a certain tweet (since people that liked the tweet tend to be more active on social media).

Anyway, mass tagging isn’t as bad on Twitter as it is on Instagram.

Tip: If you're getting tagged by bots in a mass tagging action that's an immediate red flag.

Contracts

Many thanks to Defi Khaled for helping me write this part.

Now, here we come to the real deal.

You can fake anything, but you can’t fake code.

When it comes to contracts there are four main things I look for:

  • If the contract is readable.
  • If the contract is verified.
  • Accessible (unnecessary) _mint function.
  • Time-lock

Let’s take each one at a time and explain it.

Verified contracts

A contract is verified only when you can see the green check-marks on its bscscan.com page.

Image for post

What does the “verified” mean?

When a contract is verified it means that the developer added a human-readable version that’s an exact match of the actual code.

Nothing more, nothing less. It just means that the contract you see it’s the real one.

Tip: I've seen some rugs bragging that their contracts are verified and that "it means it is safe". No, do not believe that. Verified doesn't mean safe, it only means it is the actual code.

What should I run from?

You should immediately run from YF MasterChef contracts:

  • that have the human-readable version but they’re not verified.
  • that don’t even have the human-readable version at all.

Image for post

If you see the above, you can’t read it.

While every project has unverified contracts at some point (especially the ones with runtime logic such as games) you have to be very careful with it.

The MasterChef contract and other main contracts of a project should always be verified.

The same applies to non-verified contracts that are readable.

If a contract has the human-readable version but it isn’t verified it means that what’s shown to you isn’t the actual code, so the developers might be trying to hide something from you.

Accessible _mint function

Here is how a mint function looks like on BSCScan’s UI.

Image for post
How the _mint function looks like on BSCScan.

And here it’s how it looks like in code.

Image for post
How the _mint function looks like in code.

What does a mint function do?

A mint function allows the contract owner to create more tokens “out of thin air”.

The rugging method using the _mint function is when the owner gives himself a bunch of tokens and then sells them, bringing the price of the token to almost $0.00 USD and screwing everyone over.

If there is a mint function does it mean the project will rug?

No, absolutely not.

A mint function is needed, especially when tokens are minted every block for rewards (in the case of yield farms such as PancakeSwap, Thugs, Narwhalswap, etc)

How to be safe when there is a mint function?

Well, this is a tough one.

Always make sure there is a need for it.

Yield Farms and other projects with unlimited supply will always have a mint function because that’s what their project relies on, but if you’re trading a token that is supposed to have a maximum supply but it has a _mint function then it should raise a red flag.

The example above was taken from the $SAFU $FUNDS rug where the main tokens should've had a maximum supply, but ended up minting new tokens.

A wonderful thing for tokens that have a maximum supply is when the developers set the owner of the contract to the dead address (0x00…dead) like beefy.finance did with their $BIFI token.

Time-lock

What is a time-lock?

A time-lock delays the function’s orders for the time specified in the time-lock, and the call will be public on BSCScan until the execution of said orders.

Does time-lock mean safe?

Yes and no.

Don’t let Timelock be a buzzword; they’re only as effective as their usage, not inherent safety.

The above quote is taken from Defi Khaled's post. I suggest you read it.

While yes, the calls will be public until the execution and anybody can read them you’ll also need someone to be constantly checking for changes.

My recommendation

Set up an alert on the time-lock contract.

You can do it by adding the contract to your watch-list within BSCscan and you’ll be notified via e-mail every time the time-lock does a transaction.

What options could a developer use instead of a time-lock?

A developer can set the ownership address of a contract to the dead address (0x000…dead) and make the contract completely untouchable, but remember that this also means everything has to be perfectly done before the execution and that in case of an emergency the developers can’t help since they don’t have access to it themselves.

I prefer a trustworthy team and a time-lock rather than an untouchable contract.

Again, you have to form your own opinion about everything. Do not blindly follow what I say without doing your own research beforehand.

The most important thing

The decentralized world might look scary at first glance.

It can be complicated, it requires a lot of research and most of the time there are going to be risks that come with it.

But should that discourage you from joining new projects?

Absolutely not.

Taking safety precautions and investing only what you can afford to lose is the way to go.

The thing that gets people stuck in rugs is greed. It is the idea of getting rich quick, going all-in in a one-hour old project thinking they will have those x100 gains overnight.

Be safe out there.

Stop dreaming about overnight success and focus on continuously growing instead.

Re-cap

Let’s re-cap what you should look for when considering joining a new project.

  • Overall appearance, rushed projects and careless devs
    - Is it rushed?
    - Is it high quality?
    - Did the devs. even try?
  • Social Media Management and Appearance
    - Is their social media informative?
    - Are the devs. active?
  • Social Media Proof
    - Are the Twitter followers real?
    - Are the Telegram members real?
    - Is the project trying to fake social media popularity?
  • Intrusive marketing
    - Is the project using fake accounts to promote the project?
    - Is it using bots to do it?
  • Contracts
    - Are the contracts readable?
    - Are the contracts verified?
    - Is there any time-lock?
    - Who’s the contract owner?

This is how I personally check out the projects.

On top of what I already said, as a final note, ask yourself the following: Is it too good to be true?

If the answer is yes, take a step back, and analyze the situation, assign yourself some limits, and try to be careful with it.

Stay safe!

                                                                                . . .

You might also want to read: How To Keep Your Funds SAFE — MetaMask Guide

The Ape 🦍

Follow: Twitter

Related News