What is a Rug Pull?

Define Rug Pull.

In American English this is an idiom which means to pull the rug someone is standing on, out from under their feet.This usually causes them to lose their balance or support, and they fall down.

Rug Pull in Liquidity Pool

In a Liquidity Pool, a rug pull still involves pulling something and cause a fall. It means to pull the best asset out of a pair, so that the remaining asset price falls down.

Example Liquidity Pair Rug Pull

So a Liquidity Pull Rug Pull would go like this:
A developer intending to perform the rug pull creates a new Liquidity Pool on Uniswap or Pancakeswap, and one of the assets is Ethereum, and the other asset is Token X.
Investors come to Uniswap or Pan cake Swap and buy both Token X and Ethereum, then deposit dollar equivalents into the Liquidity Pair.
The developer waits until a certain amount of funds like 500,000 or one million dollars USD has been deposited by investors.
Then the developer withdrawals or Pulls out all the Ethereum from the Liquidity Pair, causing the price of the remaining asset Token X to drop or fall down.

So literally they pulls out the strong asset Ether, upon which the weak asset Token X is standing, and the price of token X falls down.
This leaves the investors with a Liquidity Pair with no Ethereum and a whole lot of Token X, whose value has now dropped to zero. Now the investors have lost most if not all of their capitol invested.

This type of theft happened a lot in the early days of Uniswap, Tron JustSwap, and BSC Pan cake swap.

This can happen because the software developer writes the software with a built-in mechanism which allows them to withdrawal all the funds investors have deposited in a project and send it to their wallet, effectively robbing the investors of their cryptocurrency.

Other Rug Pulls: Migratory Function Exploit

Another type of Rug Pull is done a little differently, and effects Liquidity Pulls on large Platforms with multiple Liquidity Pairs. One such platform was Honey Swap.

Honey swap rug pull

This was the theft of all the cryptocurrency deposited in all the liquidity pairs on honey swap by a developer.

What was the software exploit or vulnerability?

The information I have been able to gather suggests that the developers who stole the investors tokens used a “Migratory Function” exploit. The developers for Honey swap liquidated the Liquidity Pools and depository accounts, by pulling out the assets trading them for ETH on the Honeyswap exchange and moving the Ethereum off the platform into the wallets of the developers. They were able to do this by exploiting a software code feature called the migrate function. #Caution: I am not a developer, so I am writing and communicating to the best of my non-developer ability.

Migratory Function

The purpose of the migrate function is to move all deposited assets should the developers create a new version of the current trading platform, and it allows the developer to send all the finds from the old version to the new version.

For example, the developers create a Honey swap version 2.0, and once it is ready they move all the assets to that new version. This software code feature is present in Pan cake swap, Goose-swap and Honey swap. This feature was disabled on Goose-swap as a protective measure. This feature was activated on Pan cake swap, but has since been disabled, so the current migration of investors’ funds to the new version of Pan Cake Swap will be done manually by the investors. They will withdrawal their tokens and redeposit their tokens in the new version.

The Honey finance platform started with a migrate function, which read the amount to be migrated was -1, which meant the amount of token they could remove was infinite. However this feature is coded as bal not -1 or +2. The minus one means the amount to be migrated is infinite. The +2 means only 2 tokens and the code bal means the balance described by previous code only can be migrated.

I am not a developer, so I can’t attest to the validity of these claims. I read an article by a software developer, who doesn’t know/write code in Solidity, the code for these Smart Contracts, and another written by a software developer who does write Solidity code and they has different explanations. So I went with the Solidity code developers explanation.

Honey Pot wasn’t the first Rug Pull using this exploit

Surprisingly or not, this wasn’t the first platform Rug Pulled in this manner. The information I found on the internet suggests that this is a well-known rug pull mechanism on both Ethereum and Binance Smart Chain. This was used in the rug pull of these platforms: Honey Swap, Croissant Swap and Turtle Dex.

DeFi Platform risks

These type of risks are usually noted by the code auditors, but it is up to the developers to fix such exploits, so if they placed them intentionally they won’t fix them. Additionally it is possible to activate the exploit, reset certain parameters and then execute the theft. This is a tricky area to navigate, and is so you should read the Software Audit carefully and if possible get an interpretation by a software developer, specifically someone who writes code in Solidity.

Last words and Thank you Cubfinance:

My research for this article really helps me better understand the potential risks we face, and more importantly appreciate how lucky we are on Hive to have a two year relationship with @khaleelkazi and the Cubfinance development team, because we have a safe place to invest our funds in Liquidity Pools and Yield Farming opportunities. Thanks.
And this post from @taskmaster4450le says it all. 🦁

Further information

I found these two Video Explaining the Rug Pull

Python Developer

Solidity developer

Cub finance Certik Audit

You can watch these videos and then read the Cubfinance Audit to determine if these vulnerabilities exist and if they have been modified. This should be part of your due diligence.