In the vibrant yet challenging landscape of Web3, the occurrence of rug pulls - instances where developers and founders abandon a project after collecting funds - pose a significant threat to anyone in the web3 scene. The term 'rug pull' has been coined to denote such shameless acts that leave the community dry. Today, we will walk you through the process of understanding these occurrences and share effective tips to help you avoid them.

Understanding Rug Pulls

Before talking about prevention, let’s talk definition.In a 'rug pull', developers or project leads accumulate substantial funds and then vanish, be it slowly or abruptly, leaving buyers and the community in a state of loss. In the realm of NFTs, this could take the form of a creator selling NFTs and then suddenly discontinuing the project, rendering the NFTs essentially worthless.

TYPES OF RUGPULLS

Hard Rug Pull: This is the most blatant form of rug pull. Developers abruptly disappear after collecting funds, often leaving investors with worthless tokens or assets.

Soft Rug Pull: This is more subtle. Instead of vanishing, developers might slowly sell off their tokens ("dump") or gradually neglect the project. This results in a gradual decline in value, which can still lead to significant investor losses.

Credits to https://twitter.com/andehxbt/status/1514562618123767809 for the infographic content

In both cases, the community is left helpless. Founders might position their situation as one that is valid and justifiable, but facts are that when they don’t come through with whatever it is they promised the community and stop trying - they are rugging.

Rugs come in all shapes and sizes, and could even come when you least expect it. For that precise reason, it is crucial to educate ourselves on what exactly we can do to avoid buying into a rug pull before it’s too late.

How to Avoid Rug Pulls

TIP #1. Do a thorough Background Check on the Project. 

The first step in avoiding a potential rug pull is to research the project and its team extensively. Dive deep into their background, their past works, and reputation. Investigate the project's website and whitepaper for realistic goals and technology applications. Don’t rely on a few shills on Twitter as your reason to assume a project is legitimate. 

The Team: Are they doxxed, or undoxxed? Anonymity is a double-edged sword in the crypto world. While it ensures privacy, it also leaves room for fraud. Projects with anonymous teams, or what is commonly referred to as “undoxxed”, aren't necessarily fraudulent, but those with transparent, identifiable members tend to be more trustworthy. Take note though: a team can easily post a photo of a random member and create a fake bio and claim they are “doxxed” when that person may not even really exist.

The Website: A decent website can be whipped up in minutes nowadays, so you’ll want to make sure that the website you’re going to has decent substance. The website should display at a minimum- information about the project including its mission and roadmap, about the team, and generally be cohesive with the look and feel of the whole project.

The Whitepaper/Roadmap: The whitepaper is a key document that outlines the project's goals, technology, implementation plans, the team, and other relevant details. A project’s Roadmap is essentially its Whitepaper. Having a roadmap or a decent website doesn’t guarantee that a project is not a rug, but it is a good way to benchmark what the expectations of the project should be. We talk more about evaluating Roadmaps later.

BAYC Roadmap 2.0 
(https://twitter.com/BoredApeYC/status/1440392967437488134?lang=en)

The Socials: Social media handles and activity are also important to check. Twitter is definitely one of the main platforms projects use to communicate. A project with low followers and minimal (or even zero) engagement implies that no one is keeping posted much with the project. Too many followers on the other hand can be unrealistic and be botted - buying likes & retweets is cheaper than you might think! To sense check, you could go through the tweet replies and how sensible they are in context to the tweet, or if it’s just empty words trying to spike the numbers. Let’s dive more into this on our next step.

Check for fake followers on Twitter using https://www.followeraudit.com/ 

TIP #2. Evaluate the Quality of Community Engagement.

A robust and active community can be a positive sign. Check forums, social media, and community chats to see how the project interacts with its user base. Make sure messages make sense and carry an actual conversation rather than just a volume of messages without substance.

Legitimate projects often encourage an active community because the team is keen to engage with the community about the project. 

Projects that are open to AMAs, able to discuss the project and its specifics sensibly, and respond to reasonable questions, are often a good sign. On the flip side, there are projects that resort to banning community members who ask good questions and put the project on the spot as they want to avoid people seeing through their malicious intentions of merely creating a rugpull. 

Some samples of low quality community engagement are as follows:

1. Low Participation Rates: If only a small number of the community's members are actively participating in discussions, this could be a sign of low engagement. It’s important to compare participation to the number of people in the community.
2. One-Sided Conversations: When communication comes primarily from the project team, with little to no feedback or participation from the community, it's a sign of low-quality engagement.
3. Lack of Response: A team that does not respond to community questions or feedback, or is slow to respond, may not be genuinely committed to building a strong community.
4. Surface-Level Interactions: Interactions that only revolve around hype and not substantive discussion about the project, its progress, or its problems are signs of low-quality engagement. Examples include constant discussion about the price, but not the product or development.
5. Censorship: When the project team deletes comments or bans users who raise valid concerns or criticism, it's a strong indication of poor community engagement.
6. Toxic Behavior: If the community fosters aggressive, disrespectful, or toxic behavior, it's a sign of poor moderation and low-quality engagement.
7. Overly Positive Comments: A situation where the project's social media account is filled with suspiciously similar positive comments, often posted at similar times, may indicate fake engagement.

1. Incentivized Engagement: If the majority of engagement comes from incentivized activities, such as giveaways or contests, it may be a sign that organic community interest is low.

These signs are not definitive proof of a rug pull, but they can serve as red flags that require further investigation.

TIP #3. Pre-Mint: Watch out for Red Flags in the Project’s Vision or Roadmap.

Nowadays, the necessity of a Roadmap is debatable. Projects should have a clear idea of what they want to build and the value they want to bring, and it isn’t always a bad thing if the concrete steps to get there aren’t laid out yet given how fast-paced and dynamic Web3 is. What’s important is that Founders are clear in communicating what their true intentions and plans are. A project can even proclaim to be solely an Art project, so in these cases, the utility of the NFT is the ability to own the art, and that’s it. 

Some Founders opt to go for the “underpromise, overdeliver” approach wherein they do not promise a clear roadmap and timeline per se, but they share a higher-level goal such as building a brand, creating a community, or even a product. In these cases, one can opt to assess the track record of the founders, and buy in at their own risk. 

On the other hand, there are projects that overpromise and eventually underdeliver. Projects like these can be detected through assessing the feasibility of the roadmap. Here are a few red flag roadmap items to watch out for:

1. Guaranteed Profits: As the old saying goes, if something’s too good to be true, it probably isn’t. High returns can be an attempt to lure more cash in with no intention of actually returning something back. Crypto investments, including NFTs, carry inherent risk and no returns are ever guaranteed.
   
2. Fast-Tracked Timelines: A roadmap that promises overly ambitious goals within unrealistic timelines may suggest that the team is more focused on creating hype than on delivering a solid product or service. Large-scale projects and commercial deals take months or even years to complete. If the timeline is questionable, the community is entitled to question the founders on their plans. From then, you can use your best judgment to see if the team is capable of making their plans a reality.
    
3. Focus on marketing over development: If the roadmap is heavily skewed towards marketing, promotions, or token/NFT sales and lacks a focus on product development, technical milestones, or user adoption, it could be a red flag. A project’s main goal SHOULDN’T be to mint out; the mint should be the first step. Projects focused purely on minting out, especially with a mint price that may not justify its value, are likely a rug. 
    
4. Lack of technical details: A good roadmap will include technical goals and specifications related to the blockchain and smart contracts being used. A legit team will be equipped to know these. If these details are missing or are insufficient, it might suggest that the project isn't as technically robust as it claims.
    
5. No Clear utility or value proposition: If the roadmap doesn't clearly outline the utility of the NFTs or the value proposition of the project, it could indicate a lack of long-term planning or strategy, a common trait in rug pull scams. Again, it does not need to have a full detailed plan, but the value that the project aims to give its community should be clear.
    
6. Stolen Art: Numerous fake NFTs pretend to be original pieces. Reverse Image search like Tinyeye or Google Lens is handy for checking if the artworks are original or stolen off elsewhere in the internet. If a project is blatantly lying about its art, it is most definitely a rug - DO NOT buy in as they are likely lying about a lot more.

TIP #4. Post-Mint: Check the NFT’s Provenance and Marketplace Activity.

Check the NFT's Provenance: The provenance is the historical record of an NFT's ownership. Verify the provenance to ensure that there aren't any unexpected transfers. You can do so through the following:

1. Identify the NFT on a trusted marketplace. Basic details such as current and previous holders, and previous sales, and other transaction history are available here.
2. Check transaction history. You should have the option to view information such as when the project was minted, who has owned it, and any sales and transfers that have occurred. 
3. For additional information, use blockchain explorers such as Etherscan. The marketplace provides the contract address of the project - this can be copied & pasted into Etherscan. This will give you access to the full history of transactions that have interacted with the project’s contract. 
    

Assess Marketplace Activity. Just because a project has minted out, it doesn't mean there’s no more risk to being a rug. Smart Contracts can be very powerful and can make things appear more legitimate than it is. Here are a few examples of what to watch out for on a Project’s Marketplace:

1. A large amount of tokens in 1 address. This often is not the best sign because a real project community would promote having the tokens spread across holders. There are however reasonable cases such as the wallet being a burn address or a staking contract. To check the top holders, you can go to the Analytics tab on Opensea and look at the ‘Owners’ portion.

It’s possible that a bullish whale just decided to collect a bulk of the NFTs - you can check if the address purchased these tokens, or it was just bulk minted or transferred. 

1. High floor, zero Volume. The floor isn’t everything - make sure to check the volume. These NFTs potentially were minted but programmed to be unsellable in the first place.
    
2. High volume, extremely low floor. If a project has existed for months, and they’ve got hundreds and thousands of ETH volume with conservative Creator Earnings of around 5%, the team should be equipped to execute whatever they have promised to the community. For a project to have extremely high volume and a low floor, it’s possible that the team has ceased development and the NFT no longer holds much value.

TIP #5. Be Proactive about Security Education.
Finally, the best defense against rug pulls is a proactive approach to security education. Read articles, take classes, surround yourselves with safe communities that can help you navigate the Web3 space securely. 

Boring Security provides free educational articles on the website, as well as free NFT Security 101 classes every month. An advanced 102 Class is offered to 101 Alumni wherein students dive deeper into Etherscan knowledge and more advanced security concepts including those mentioned in Tip #4. 

If you’re interested in upping your Security game, just hop on the Boring Security discord server here. Knowledge is power, and in the dynamic world of NFTs, it's one of your most reliable shields against rugs AND there is strength in numbers. Being part of a security conscious community will help you level up your rug-avoiding skills as well. 

While the world of Web3 is a space of growth and innovation, bad actors still exist and they will take advantage of your emotions and desires through tempting and enticing offers. The tips and tricks above can serve as your guide. Just always be cautious and remember that due diligence is your best defense against rug pulls - with that in mind, a whole new world that is safer and more rug-free should lie ahead of you!

Have any questions or want to learn more about web3 security and stay up to date on the most current security information, scams, and tactics? Join us in our discord at https://discord.gg/boringsecurity .