Fragmented Rug Pull (FRP) Analysis

• Fragmented Rug Pull (FRP) is a decentralized scam where attackers split liquidity extractions into many micro-sells to stay below detection thresholds.
• The detection methodology relies on retaining LP tokens, executing trades with impact below a set threshold, and using multiple non-owner wallets.
• Empirical findings reveal a shift to multi-wallet extraction, with over 105K FRP pools and evolving seller strategies that challenge traditional risk metrics.

A Fragmented Rug Pull (FRP) is a class of decentralized exchange (DEX) exit scams wherein attackers decompose the liquidity extraction process across both time and actor dimensions. Unlike classical rug pulls, which are characterized by large, rapid liquidity removals by the pool deployer, FRPs obfuscate withdrawals through numerous low-impact transactions routed via a network of non-deployer (“inflated-seller”) addresses. This distributed extraction subverts traditional rug pull detection strategies and has emerged as a dominant modus operandi in contemporary DEX fraud (Tran et al., 19 Nov 2025).

1. Conceptual Framework and Formal Definitions

Fragmented Rug Pulls are defined by three critical atomic predicates, whose conjunction yields the operational strategy:

• Retention of LP Control (RetainLP): The deployer retains, rather than burns or locks, initial liquidity pool tokens, ensuring on-chain extraction remains feasible throughout the pool’s brief lifetime.
• Impact Fragmentation: Attacks are split into many micro-sells, each designed to incur an individual price impact below a canonical detection threshold $\theta$, typically $\theta = 0.9$.
• Identity Delegation: Sells are executed through multiple non-owner wallets, circumventing detection mechanisms focused on owner-initiated transactions.

Formally, for a liquidity pool $\mathcal{P}$ with transaction sequence $T=\{t_1,\dots, t_n\}$, each sell $t_i$ is characterized by sender $a_i$, returned base-asset volume $v_i$, and pre-trade reserves $\mathcal{V}_i$. The per-trade impact is given by:

$\mathrm{Impact}(t_i) = \frac{v_i}{\mathcal{V}_i}$

A wallet $a$ is defined as an inflated-seller in $\mathcal{P}$ if it executes any sell $t_i$ such that $\mathrm{Impact}(t_i)\le\theta$, and the set of all such addresses in $\mathcal{P}$ is denoted $\mathcal{A}(\mathcal{P})$ (Tran et al., 19 Nov 2025).

2. Detection Methodology

FRP detection proceeds in two main stages:

1. Pool Labeling: All LP deployments are analyzed to filter short-lived pools (lifetime $\le100$ days), then checked for three criteria:
   • LP tokens were not burned or locked (RetainLP).
   • Existence of at least one fragmented sell transaction, i.e., $$\forall\, t_{a,j}:\; \mathrm{Impact}(t_{a,j})\le\theta$$.
   • All sellers in $\mathcal{A}(\mathcal{P})$ are non-owner addresses, or, if the owner participates, all owner-sales have $\mathrm{Impact}\le\theta$.
2. Inflated-Seller Extraction: For FRP-labeled pools, all addresses executing sells with per-trade impact $\le\theta$ are extracted as “inflated-seller wallets.”

Pseudocode (precision abstracted):

for each LP P: if lifetime(P) ≤ 100 days and RetainLP(P): T_sells = all sell transactions in P for t in T_sells: Impact(t) = v(t) / V(t-) A = { a(t) | t in T_sells and Impact(t) ≤ θ } if A ≠ ∅ and no member of A triggers owner-impact > θ: label P as FRP record inflated-sellers += A

Analysis across major Ethereum DEXes reveals 105,434 FRP pools and 401,838 distinct inflated-seller wallets among 1,501,408 unique interacting addresses (Tran et al., 19 Nov 2025).

3. Empirical Findings and Quantitative Trends

The FRP evasion model is validated over a corpus of 303,614 LP deployments. Among these, the following empirical characteristics are observed in FRP-flagged pools:

• Owner-wallet involvement in inflated selling has reduced substantially, detected in only 33.13% of FRP pools (declining from ~65% in 2019 to 24% in 2024). This signals a marked migration toward distributed extraction using non-owner addresses.
• Serial Scam Behavior: 127,252 wallets (31.67% of inflated-sellers) participated in two or more FRP pools. The single most recurrent address was implicated in 16,525 distinct pools.
• Evolving Seller Topology: Single-wallet FRPs declined from 57% to 28.3% of cases (2019–2024), while multi-wallet schemes rose symmetrically. Approximately 70% of FRP pools use 1–10 inflated sellers; 30% employ more than 10.

This fragmentation removes clear transactional signals, such as a large, rapid outflow from an identified owner wallet, compelling a paradigm shift in risk detection.

4. Attack Mechanics and Illustrative Case Studies

The FRP workflow is characterized by:

• Prefunding and Distribution: Token deployers inject pre-minted assets into a network of newly created or complicit EOAs, which receive approval to sell.
• Micro-sell Execution: Each participating address conducts multiple small withdrawals or swaps, each below $\theta$, avoiding threshold-triggered alerts.
• Chaining and Convergence: Proceeds can be funneled through intermediate contracts or aggregated via bridges.

Notable case studies include:

• LIBRA (Solana-backed meme token): Four fresh wallets each initiated 2–5 micro-sells, invisible to standard detectors due to their impact profile. Buy orders and bundled trades were inserted to camouflage price manipulation.
• Safereum: The deployer prefunded $\sim$12 EOAs; cumulative proceeds were consolidated off-chain.
• ZhongHua: A proxy contract issued delegated sells, masking the main deployer’s inactivity.

In each instance, no single transaction presented the high-magnitude signature targeted by existing rug pull heuristics (Tran et al., 19 Nov 2025).

5. Metrics, Formulae, and Analytical Considerations

Atomic predicates formalizing FRP include:

$$\mathrm{Impact}(t_i) = \frac{v_i}{\mathcal{V}_i}, \qquad \mathrm{RetainLP} = \neg\mathrm{burnLock}(\mathrm{LPT}_{\mathrm{init}}), \qquad \mathrm{SellerIsOwner}(t_i) = (a_i \in \mathcal{O})$$

Profitability under fragmentation is governed by:

$$\sum_{j=1}^K (v_j - \mathrm{slip}(v_j)) - G \ge V_{\min}, \quad \forall j: \frac{v_j}{\mathcal{V}_j} \le \theta$$

where $\mathrm{slip}(v_j)$ represents execution slippage, $G$ is total gas cost, and $V_{\min}$ is a minimal profitability constraint. Coordination among inflated sellers ensures individual actions remain undetectable, while cumulative extraction achieves attacker goals.

6. Context, Significance, and Countermeasures

The rise of FRP techniques reflects an adversarial adaptation to transaction-level heuristics that dominated early DEX fraud detection (Tran et al., 19 Nov 2025). By leveraging both impact fragmentation and actor delegation, attackers exploit network opacity, dispersing economic signals below static thresholds. This obfuscation parallels collusive shill bidding in auctions, where multiple seller or bidder identities are used to dilute risk indicators (Trevathan et al., 2018). In the NFT ecosystem, analogous wash trading cycles—consisting of cycles of buys and sells within short intervals—have also required graph-based detection beyond simplistic per-wallet heuristics (Liu et al., 2023).

Detection of FRP thus necessarily involves holistic, network-centric methodologies capable of (1) identifying coordinated extractive patterns across multiple addresses, (2) aggregating sub-threshold behaviors over time, and (3) factoring non-owner execution. Purely per-transaction or owner-centric rug pull metrics are now demonstrably insufficient.

This suggests future research directions may emphasize dynamic behavioral baselining for DEX pools, broader graph-theoretic community detection to isolate coordinated extraction, and multi-modal anomaly detection pipelines integrating known FRP atomic predicates.