Research by blockchain security firm Hacken has found that most of the crypto projects rug-pulled in the third quarter of 2023 had no audit reports.
According to the Q3 2023 Security Insights report, only 12 out of 78 examined rug pulls conducted and reported audits.
Most Rugpulled Projects Are Not Audited
An independent third-party audit offers a detailed review of a token, identifies the project’s vulnerabilities, and alerts investors. Hacken noted that rug pulls are one of the simplest scams to prevent, as investors can understand their anatomy by taking note of certain patterns. One of them is the presence or absence of an audit.
Although an independent third-party audit may validate a project’s authenticity, it does not guarantee protection from a sudden withdrawal of liquidity. A project can undergo an audit, publish a report, and still make malicious changes to its tokenomics and smart contract, thereby defrauding users.
Among the projects rug-pulled last quarter, some were audited but had poor scores. Unfortunately, users ignored the audit results as they believed the fact that the projects were audited was enough. Such was the case with Magnate Finance, a lending protocol based on crypto exchange Coinbase’s Base network, which had an audit that stated that the project’s deployer could manipulate the token. However, users did not heed the findings.
“Token owners continued to participate in the protocol for almost three months after the audit results. And by the end of August, the deployer had removed liquidity from LPs in multiple transactions. As a result, we got the 2nd largest rug pull this quarter with over $5 million stolen,” Hacken said.
A Common Pattern
Users of the decentralized crypto staking platform DeFiLabs had a similar experience to those of Magnate Finance. Blockchain security firm CertiK revealed in an audit that the project had a centralization risk within its contracts, but the warnings raised no concern among users. The platform eventually pulled the rug and vanished with $1.4 million worth of users’ assets.
Meanwhile, Hacken found a common pattern among rug pulls. Developers of malicious projects usually follow the same five steps: create the tokens, aggressively market them, inflate the tokens’ supply when liquidity accumulates, vanish with drained funds, and leave investors with worthless assets.