Papers
Topics
Authors
Recent
Search
2000 character limit reached

CRPWarner: Warning the Risk of Contract-related Rug Pull in DeFi Smart Contracts

Published 3 Mar 2024 in cs.SE | (2403.01425v1)

Abstract: In recent years, Decentralized Finance (DeFi) grows rapidly due to the development of blockchain technology and smart contracts. As of March 2023, the estimated global cryptocurrency market cap has reached approximately $949 billion. However, security incidents continue to plague the DeFi ecosystem, and one of the most notorious examples is the ``Rug Pull" scam. This type of cryptocurrency scam occurs when the developer of a particular token project intentionally abandons the project and disappears with investors' funds. Despite it only emerging in recent years, Rug Pull events have already caused significant financial losses. In this work, we manually collected and analyzed 103 real-world rug pull events, categorizing them based on their scam methods. Two primary categories were identified: Contract-related Rug Pull (through malicious functions in smart contracts) and Transaction-related Rug Pull (through cryptocurrency trading without utilizing malicious functions). Based on the analysis of rug pull events, we propose CRPWarner (short for Contract-related Rug Pull Risk Warner) to identify malicious functions in smart contracts and issue warnings regarding potential rug pulls. We evaluated CRPWarner on 69 open-source smart contracts related to rug pull events and achieved a 91.8% precision, 85.9% recall and 88.7% F1-score. Additionally, when evaluating CRPWarner on 13,484 real token contracts on Ethereum, it successfully detected 4168 smart contracts with malicious functions, including zero-day examples. The precision of large-scale experiment reach 84.9%.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (52)
  1. A. Buldas, D. Draheim, M. Gault, and M. Saarepera, “Towards a foundation of web3,” in International Conference on Future Data and Security Engineering.   Springer, 2022, pp. 3–18.
  2. A. Buldas, D. Draheim, M. Gault, R. Laanoja, T. Nagumo, M. Saarepera, S. A. Shah, J. Simm, J. Steiner, T. Tammet et al., “An ultra-scalable blockchain platform for universal asset tokenization: design and implementation,” IEEE Access, vol. 10, pp. 77 284–77 322, 2022.
  3. (May, 2022) Web3 is our chance to make a better internet. [Online]. Available: https://hbr.org/2022/05/web3-is-our-chance-to-make-a-better-internet
  4. (May, 2022) What is web3? [Online]. Available: https://hbr.org/2022/05/what-is-web3
  5. S. M. Werner, D. Perez, L. Gudgeon, A. Klages-Mundt, D. Harz, and W. J. Knottenbelt, “Sok: Decentralized Finance (Defi),” arXiv preprint arXiv:2101.08778, 2021.
  6. (March, 2023) Coinmarketcap. [Online]. Available: https://coinmarketcap.com/
  7. P. Daian, S. Goldfeder, T. Kell, Y. Li, X. Zhao, I. Bentov, L. Breidenbach, and A. Juels, “Flash boys 2.0: Frontrunning in Decentralized Exchanges, Miner Extractable Value, and Consensus Instability,” in 2020 IEEE Symposium on Security and Privacy (SP).   IEEE, 2020, pp. 910–927.
  8. K. Qin, L. Zhou, B. Livshits, and A. Gervais, “Attacking the Defi Ecosystem with Flash Loans for Fun and Profit,” in Financial Cryptography and Data Security: 25th International Conference, FC 2021, Virtual Event, March 1–5, 2021, Revised Selected Papers, Part I.   Springer, 2021, pp. 3–32.
  9. B. Mazorra, V. Adan, and V. Daza, “Do not Rug on Me: Leveraging Machine Learning Techniques for Automated Scam Detection,” Mathematics, vol. 10, no. 6, p. 949, 2022.
  10. Chainalysis, “The 2022 Crypto Crime Report,” Tech. Rep., 2022.
  11. P. Xia, H. Wang, B. Gao, W. Su, Z. Yu, X. Luo, C. Zhang, X. Xiao, and G. Xu, “Trade or Trick? Detecting and Characterizing Scam Tokens on Uniswap Decentralized Exchange,” Proceedings of the ACM on Measurement and Analysis of Computing Systems, vol. 5, no. 3, pp. 1–26, 2021.
  12. (March, 2023) Rugdoc. [Online]. Available: https://rugdoc.io/
  13. (March, 2023) Peckshieldalert. [Online]. Available: https://twitter.com/PeckShieldAlert
  14. (March, 2023) Showmist. [Online]. Available: https://hacked.slowmist.io/
  15. P. De Giovanni, “Blockchain and Smart Contracts in Supply Chain Management: A Game Theoretic Model,” International Journal of Production Economics, vol. 228, p. 107855, 2020.
  16. F. Schär, “Decentralized Finance: On Blockchain-and Smart Contract-based Financial Markets,” FRB of St. Louis Review, 2021.
  17. (March, 2023) Ethereum virtual machine (evm). [Online]. Available: https://ethereum.org/en/developers/docs/evm/
  18. (March, 2023) Etherscan. [Online]. Available: https://etherscan.io/
  19. (May, 2022) Why build in web3. [Online]. Available: https://hbr.org/2022/05/why-build-in-web3
  20. F. Fang, C. Ventre, M. Basios, L. Kanthan, D. Martinez-Rego, F. Wu, and L. Li, “Cryptocurrency Trading: A Comprehensive Survey,” Financial Innovation, vol. 8, no. 1, pp. 1–59, 2022.
  21. (December, 2020) Create and deploy a defi app. [Online]. Available: https://ethereum.org/ph/developers/tutorials/create-and-deploy-a-defi-app/
  22. (January, 2023) Erc-20 token standard. [Online]. Available: https://ethereum.org/en/developers/docs/standards/tokens/erc-20/
  23. (March, 2023) Rug pull. [Online]. Available: https://academy.binance.com/en/glossary/rug-pull
  24. (Jan, 2024) Crypto rug pulls: What are they and how to avoid them. [Online]. Available: https://www.coindesk.com/learn/crypto-rug-pulls-what-are-they-how-to-avoid-them/
  25. (May, 2022) Crypto rug pulls: What is a rug pull in crypto and 6 ways to spot it. [Online]. Available: https://cointelegraph.com/explained/crypto-rug-pulls-what-is-a-rug-pull-in-crypto-and-6-ways-to-spot-it
  26. (May, 2022) What is a soft rugpull vs a hard rugpull? [Online]. Available: https://www.certik.com/zh-CN/resources/blog/X4EVjXB5HRho9jIKku544-what-is-a-soft-rugpull-vs-a-hard-rugpull
  27. (March, 2023) Bnb smart chain explorer. [Online]. Available: https://bscscan.com/
  28. (March, 2023) Fantom blockchain explorer. [Online]. Available: https://ftmscan.com/
  29. J. Chen, X. Xia, D. Lo, J. Grundy, X. Luo, and T. Chen, “Defining Smart Contract Defects on Ethereum,” IEEE Transactions on Software Engineering, vol. 48, no. 1, pp. 327–345, 2020.
  30. S. Yang, J. Chen, and Z. Zheng, “Definition and detection of defects in nft smart contracts,” arXiv preprint arXiv:2305.15829, 2023.
  31. PeckShieldAlert. (May, 2022) Nekogold and pokemoney. [Online]. Available: https://twitter.com/PeckShieldAlert/status/1530122357125181441
  32. (November, 2021) ‘squid game’-inspired cryptocurrency that soared by 23 million percent now worthless after apparent scam. [Online]. Available: https://ethereum.org/ph/developers/tutorials/create-and-deploy-a-defi-app/
  33. RugDocIO. (February, 2022) Gold mine finance hard rug. [Online]. Available: https://twitter.com/rugdocio/status/1494737976819163139?s=21
  34. PeckShieldAlert. (April, 2022) Maxapy finance. [Online]. Available: https://twitter.com/PeckShieldAlert/status/1516676658350428160
  35. ——. (June, 2022) Elonmvp. [Online]. Available: https://twitter.com/PeckShieldAlert/status/1536223027717111808
  36. ——. (June, 2022) Babyelon. [Online]. Available: https://twitter.com/PeckShieldAlert/status/1534398198957088775
  37. ——. (June, 2022) Starman. [Online]. Available: https://twitter.com/PeckShieldAlert/status/1532238908716593153
  38. (October, 2021) Solana nft “iconics” defrauds people of 130,000 in sol. [Online]. Available: https://cryptoslate.com/solana-nft-iconics-defrauds-people-of-130000-in-sol/
  39. Openzeppelin. (March, 2023) Proxy upgrade pattern. [Online]. Available: https://docs.openzeppelin.com/upgrades-plugins/1.x/proxies
  40. (Aug, 2021) Upgradable smart contracts: Doesn’t this mean anyone can add a backdoor / rug pull? seems to go against the whole immutability concept of a blockchain. [Online]. Available: https://www.reddit.com/r/CryptoTechnology/comments/p5rr5t/upgradable_smart_contracts_doesnt_this_mean/
  41. N. Grech, L. Brent, B. Scholz, and Y. Smaragdakis, “Gigahorse: Thorough, Declarative Decompilation of Smart Contracts,” in 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).   IEEE, 2019, pp. 1176–1186.
  42. (May, 2019) [yul] re-introduce sub opcode. [Online]. Available: https://github.com/ethereum/solidity/issues/6765
  43. F. Ma, M. Ren, L. Ouyang, Y. Chen, J. Zhu, T. Chen, Y. Zheng, X. Dai, Y. Jiang, and J. Sun, “Pied-piper: Revealing the Backdoor Threats in Ethereum ERC Token Contracts,” ACM Transactions on Software Engineering and Methodology, 2022.
  44. (Jan, 2024) Confidence interval. [Online]. Available: https://en.wikipedia.org/wiki/Confidence_interval
  45. S. Kalra, S. Goel, M. Dhawan, and S. Sharma, “Zeus: Analyzing Safety of Smart Contracts.” in Ndss, 2018, pp. 1–12.
  46. L. Luu, D.-H. Chu, H. Olickel, P. Saxena, and A. Hobor, “Making Smart Contracts Smarter,” in Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, 2016, pp. 254–269.
  47. B. Jiang, Y. Liu, and W. K. Chan, “Contractfuzzer: Fuzzing smart contracts for vulnerability detection,” in Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, 2018, pp. 259–269.
  48. P. Praitheeshan, L. Pan, J. Yu, J. Liu, and R. Doss, “Security Analysis Methods on Ethereum Smart Contract Vulnerabilities: A Survey,” arXiv preprint arXiv:1908.08605, 2019.
  49. T. Chen, X. Li, X. Luo, and X. Zhang, “Under-optimized Smart Contracts Devour Your Money,” in 2017 IEEE 24th international conference on software analysis, evolution and reengineering (SANER).   IEEE, 2017, pp. 442–446.
  50. L. Brent, A. Jurisevic, M. Kong, E. Liu, F. Gauthier, V. Gramoli, R. Holz, and B. Scholz, “Vandal: A Scalable Security Analysis Framework for Smart Contracts,” arXiv preprint arXiv:1809.03981, 2018.
  51. N. Grech, M. Kong, A. Jurisevic, L. Brent, B. Scholz, and Y. Smaragdakis, “Madmax: Surviving Out-of-gas Conditions in Ethereum Smart Contracts,” Proceedings of the ACM on Programming Languages, vol. 2, no. OOPSLA, pp. 1–27, 2018.
  52. L. Brent, N. Grech, S. Lagouvardos, B. Scholz, and Y. Smaragdakis, “Ethainter: a Smart Contract Security Analyzer for Composite Vulnerabilities,” in Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation, 2020, pp. 454–469.
Citations (3)
View on Semantic Scholar

Summary

  • The paper introduces CRPWarner, a novel static analysis tool that identifies contract-related rug pull risks through decompilation and information flow analysis.
  • It analyzes 103 real-world rug pull events and uses datalog rules to detect malicious patterns such as hidden mint, limiting sell order, and leaking token functions.
  • Evaluation on open-source and large-scale datasets demonstrated high precision and recall, underscoring CRPWarner’s effectiveness in enhancing DeFi security.

CRPWarner: Assessing Rug Pull Risks in DeFi Smart Contracts

The paper "CRPWarner: Warning the Risk of Contract-related Rug Pull in DeFi Smart Contracts" (2403.01425) introduces a novel approach to proactively identify and mitigate the risk of contract-related rug pulls in Decentralized Finance (DeFi) smart contracts. By analyzing real-world rug pull events, the authors developed CRPWarner, a tool designed to detect malicious functions within smart contracts that could lead to investor fund losses. The tool employs static analysis techniques on EVM bytecode, providing early warnings and enabling developers to eliminate high-risk functions, thus enhancing the security and trustworthiness of DeFi projects.

Analysis of Rug Pull Events

The authors conducted a thorough manual analysis of 103 real-world rug pull events, categorizing them based on their scam methods. This analysis identified two primary categories: Contract-related Rug Pull and Transaction-related Rug Pull. Contract-related rug pulls involve the exploitation of malicious functions embedded within smart contracts, while Transaction-related rug pulls are executed through cryptocurrency trading strategies without relying on malicious code.

The Contract-related Rug Pulls are further classified into three types:

  • Hidden Mint Function: Enables developers to generate arbitrary tokens, leading to market manipulation.
  • Limiting Sell Order: Restricts users from selling tokens, allowing developers to control the market.
  • Leaking Token: Permits unauthorized token transfers, leading to fund theft.

The Transaction-related Rug Pulls are further classified into three types:

  • Dumping Cryptocurrency: Developers sell off a large number of tokens, causing a price crash.
  • Withdrawing Liquidity: Developers remove liquidity from the pool, leaving investors with worthless tokens.
  • Abandoning Project after Funding Completion: Developers abandon the project after raising funds.

The identified patterns serve as critical indicators of risk, alerting users to potential threats and aiding developers in avoiding the inadvertent inclusion of such patterns. Figure 1

Figure 1: Example of a card of Rug Pull Events.

CRPWarner Framework

The CRPWarner framework is designed to analyze smart contracts and identify potential risks associated with Contract-related Rug Pulls. It focuses on smart contracts written in Solidity and analyzes EVM bytecode, enabling comprehensive warnings even when source code is unavailable. Figure 2

Figure 2: The Framework of CRPWarner.

The framework consists of three layers of analysis:

  1. Decompilation: Converts smart contract bytecode into a control flow graph (CFG) and generates basic data structures and relations.
  2. Information Flow Analysis: Examines variables and functions associated with rug pulls, focusing on data structures and operations.
  3. Malicious Function Identification: Detects malicious functions based on known patterns and generates an analysis report.

The datalog analysis incorporates information flow analysis and malicious function identification to pinpoint potential rug pull risks. Key components include identifying storage variables, analyzing data flow dependencies, and determining whether functions can be invoked by external accounts.

Datalog Rules for Malicious Function Identification

The paper defines specific datalog rules for identifying each type of malicious function. These rules capture critical features and enable the tool to flag potentially dangerous contracts.

  • Hidden Mint Function: Identified by the presence of logic that increases token balances without checks and can only be invoked by the contract owner.
  • Limiting Sell Order: Identified by a storage variable that restricts token transfers and a function controlled by the contract owner to modify this variable.
  • Leaking Token: Identified by a function that allows unauthorized token transfers and can only be invoked by the contract owner.

The datalog rules are based on features extracted through information flow analysis, including token balance management, variable types, function characteristics, and function features.

Evaluation and Results

The effectiveness of CRPWarner was evaluated through two primary experiments. The tool was tested on a dataset of 69 open-source smart contracts associated with real-world rug pull events and on a large-scale dataset of 13,484 real-world ERC token contracts.

The evaluation on open-source contracts demonstrated high accuracy, with precision, recall, and F1-score values of 91.8%, 85.9%, and 88.7%, respectively. The large-scale analysis identified 4,168 smart contracts with malicious functions, indicating the prevalence of potential rug pull risks in the Ethereum ecosystem. The precision of the large-scale experiment reached 84.9%. Figure 3

Figure 3: The count of smart contracts containing varying numbers of malicious function types.

The tool also discovered a zero-day example: a token project with a malicious function that had not been previously reported. This highlights the practical utility of CRPWarner in uncovering hidden risks in deployed smart contracts.

Implications and Future Directions

The findings of this paper have significant implications for the security and trustworthiness of DeFi projects. By providing a tool to proactively identify and warn about potential rug pull risks, CRPWarner can help protect investors from financial losses. The tool also empowers smart contract developers to detect and eliminate high-risk functions, thereby enhancing the security of their projects.

Future research directions include enhancing the tool's ability to analyze proxy contracts, predicting new types of Contract-related Rug Pull, and addressing the limitations related to pre-defined patterns. These improvements will further enhance the effectiveness and applicability of CRPWarner in the evolving landscape of DeFi security.

Conclusion

The paper presents a practical and effective approach for mitigating the risk of contract-related rug pulls in DeFi smart contracts. CRPWarner, a static analysis tool based on datalog rules and information flow analysis, demonstrates high accuracy in detecting malicious functions. The tool's ability to identify potential rug pull risks and empower developers to enhance smart contract security contributes to the overall stability and trustworthiness of the DeFi ecosystem.

File Document Download Save Streamline Icon: https://streamlinehq.com Markdown

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up