CRPWarner: Warning the Risk of Contract-related Rug Pull in DeFi Smart Contracts
Zewei Lin, Jiachi Chen, Zibin Zheng, Jiajing Wu, Weizhe Zhang, Yongjuan Wang
TL;DR
CRPWarner tackles the problem of pre-warning contract-related rug pulls in DeFi by analyzing decompiled EVM bytecode to build a CFG and applying a domain-specific Datalog analysis to detect malicious functions that enable rug pulls. The approach distinguishes contract-related from transaction-related rug pulls and identifies three malicious-function patterns: Hidden Mint Function, Limiting Sell Order, and Leaking Token. Evaluation on 69 open-source rug-pull contracts achieved a total $F1$-score of 88.7% (Precision 91.8%, Recall 85.9%), and large-scale screening of 13,484 ERC contracts found 4,168 with at least one malicious function, with an overall precision of 84.9% and a zero-day example detected. The work contributes a manually labeled rug-pull dataset, a publicly released CRPWarner tool and code, and demonstrates that static bytecode analysis can provide timely warnings before rug pulls fully unfold, aiding both developers and investors.
Abstract
In recent years, Decentralized Finance (DeFi) grows rapidly due to the development of blockchain technology and smart contracts. As of March 2023, the estimated global cryptocurrency market cap has reached approximately $949 billion. However, security incidents continue to plague the DeFi ecosystem, and one of the most notorious examples is the ``Rug Pull" scam. This type of cryptocurrency scam occurs when the developer of a particular token project intentionally abandons the project and disappears with investors' funds. Despite it only emerging in recent years, Rug Pull events have already caused significant financial losses. In this work, we manually collected and analyzed 103 real-world rug pull events, categorizing them based on their scam methods. Two primary categories were identified: Contract-related Rug Pull (through malicious functions in smart contracts) and Transaction-related Rug Pull (through cryptocurrency trading without utilizing malicious functions). Based on the analysis of rug pull events, we propose CRPWarner (short for Contract-related Rug Pull Risk Warner) to identify malicious functions in smart contracts and issue warnings regarding potential rug pulls. We evaluated CRPWarner on 69 open-source smart contracts related to rug pull events and achieved a 91.8% precision, 85.9% recall and 88.7% F1-score. Additionally, when evaluating CRPWarner on 13,484 real token contracts on Ethereum, it successfully detected 4168 smart contracts with malicious functions, including zero-day examples. The precision of large-scale experiment reach 84.9%.