Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Serial Scammers and Attack of the Clones: How Scammers Coordinate Multiple Rug Pulls on Decentralized Exchanges

Phuong Duy Huynh, Son Hoang Dau, Nicholas Huppert, Joshua Cervenjak, Hoonie Sun, Hong Yen Tran, Xiaodong Li, Emanuele Viterbo

TL;DR

This paper addresses the rise of serial Rug-Pull scams on Ethereum and BSC by analyzing two large datasets of one-day rug-pull pools on UniswapV2 and PancakeswapV2. It introduces three coordinated patterns—scam stars, max-in-max-out scam chains, and major scam-funding flows—and formalizes scam clusters based on direct transfers and shared pools, showing that these patterns cover a substantial fraction of scammer activity. A cluster-aware profit formula that accounts for wash trading is proposed, revealing that naive profit calculations significantly inflate true profits (up to $32\%$ on UNI and $24\%$ on CAKE). The findings demonstrate that serial scammers operate in detectable, highly similar contract clusters and that accounting for wash trading is essential for accurate assessment of rug-pull economics, with implications for detection and enforcement in DeFi ecosystems.

Abstract

We explored the ubiquitous phenomenon of serial scammers, each of whom deployed dozens to thousands of addresses to conduct a series of similar Rug Pulls on popular decentralized exchanges. We first constructed two datasets of around 384,000 scammer addresses behind all one-day Simple Rug Pulls on Uniswap (Ethereum) and Pancakeswap (BSC), and identified distinctive scam patterns including star, chain, and major (scam-funding) flow. These patterns, which collectively cover about $40\%$ of all scammer addresses in our datasets, reveal typical ways scammers run multiple Rug Pulls and organize the money flow among different addresses. We then studied the more general concept of scam cluster, which comprises scammer addresses linked together via direct ETH/BNB transfers or behind the same scam pools. We found that scam token contracts are highly similar within each cluster (average similarities $>70\%$) and dissimilar across different clusters (average similarities $<30\%$), corroborating our view that each cluster belongs to the same scammer/scam organization. Lastly, we analyze the scam profit of individual scam pools and clusters, employing a novel cluster-aware profit formula that takes into account the important role of wash traders. The analysis shows that the existing formula inflates the profit by at least $32\%$ on Uniswap and $24\%$ on Pancakeswap.

Serial Scammers and Attack of the Clones: How Scammers Coordinate Multiple Rug Pulls on Decentralized Exchanges

TL;DR

This paper addresses the rise of serial Rug-Pull scams on Ethereum and BSC by analyzing two large datasets of one-day rug-pull pools on UniswapV2 and PancakeswapV2. It introduces three coordinated patterns—scam stars, max-in-max-out scam chains, and major scam-funding flows—and formalizes scam clusters based on direct transfers and shared pools, showing that these patterns cover a substantial fraction of scammer activity. A cluster-aware profit formula that accounts for wash trading is proposed, revealing that naive profit calculations significantly inflate true profits (up to on UNI and on CAKE). The findings demonstrate that serial scammers operate in detectable, highly similar contract clusters and that accounting for wash trading is essential for accurate assessment of rug-pull economics, with implications for detection and enforcement in DeFi ecosystems.

Abstract

We explored the ubiquitous phenomenon of serial scammers, each of whom deployed dozens to thousands of addresses to conduct a series of similar Rug Pulls on popular decentralized exchanges. We first constructed two datasets of around 384,000 scammer addresses behind all one-day Simple Rug Pulls on Uniswap (Ethereum) and Pancakeswap (BSC), and identified distinctive scam patterns including star, chain, and major (scam-funding) flow. These patterns, which collectively cover about of all scammer addresses in our datasets, reveal typical ways scammers run multiple Rug Pulls and organize the money flow among different addresses. We then studied the more general concept of scam cluster, which comprises scammer addresses linked together via direct ETH/BNB transfers or behind the same scam pools. We found that scam token contracts are highly similar within each cluster (average similarities ) and dissimilar across different clusters (average similarities ), corroborating our view that each cluster belongs to the same scammer/scam organization. Lastly, we analyze the scam profit of individual scam pools and clusters, employing a novel cluster-aware profit formula that takes into account the important role of wash traders. The analysis shows that the existing formula inflates the profit by at least on Uniswap and on Pancakeswap.

Paper Structure

This paper contains 31 sections, 1 theorem, 2 equations, 14 figures, 10 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. Ethereum and BNB Smart Chain (BSC)
  4. Uniswap (UNI) and Pancakeswap (CAKE)
  5. One-Day Simple Rug-Pull Datasets
  6. One-Day Simple Rug Pull
  7. Data Collection
  8. Serial Scam Patterns
  9. Scam Stars
  10. Max-In-Max-Out Scam Chains
  11. Major Scam-Funding Flows
  12. Scam Clusters
  13. Generating Scam Clusters
  14. Measuring Cluster Contract Similarity
  15. Cluster-Aware Scam Profit
  16. ...and 16 more sections

Key Result

theorem 1

Let $S$ be a set of scammer addresses. Then the following statements hold.

Figures (14)

  • Figure 1: Typical activities in a DEX scam pool. There can be one or more scammer addresses behind each pool. Wash traders bought scam tokens to increase its price and generate fake activities. The arrow refers to the flow of the native token (ETH/BNB). If the scam token is a Trapdoor Huynh_etal_arxiv_2023 then it's possible to buy but impossible to sell the scam token to obtain the high-value native token.
  • Figure 2: The transaction history of a typical one-day Simple Rug-Pull scammer address on Etherscan, with one "Add Liquidity" and one "Remove Liquidity" events within a day. The scammer address 0x2ec6bf65bf9cf83bdd9295425b5b145daa3cb763 received 5.5 ETH from the public exchange OKX, created a pool on UniswapV2, added 5 ETH and 250M LIGHT (scam token) as liquidity, then removed liquidity (5.19 ETH and 241M LIGHT) within a day.
  • Figure 3: Examples of an IN/OUT-star with dc5b as the center. The six satellites are all scammer addresses. The center's full address is 0xbfc6cc4676aef7216e597d45d68463097520dc5b.
  • Figure 4: Part of a simple scam chain of length 47, starting with 0xc3e8290045952d520f4c2eb7e8725cabc4c8b5d6. Each address performed one Rug Pull and then transferred fund to the next one.
  • Figure 5: A minimal major flow. The input address 9cb0 (full address: 0x15a828abe5ef29fa9fbe5c0774110232f9089cb0) added 10 ETH into a scam pool and removed 11.04 ETH. It then transferred 5.2 ETH and 5 ETH to its major beneficiaries 5a95 and 9dbb. The internal address 5a95, after funded by its major funders 9cb0 and e3df, ran one scam and transferred fund to its major beneficiaries, the output addresses fc34 and 9dbb. Note that 5a95 was fully funded by its major funders and transferred at least 90% of its scam revenue (obtained from the last pool) to its major beneficiaries.
  • ...and 9 more figures

Theorems & Definitions (10)

  • definition 1: One-Day Simple Rug Pull
  • definition 2: Scammer Addresses
  • definition 3: Scam Star
  • definition 4: Simple Scam Chain
  • definition 5: Scam-Funding Transactions
  • definition 6: Major Flow
  • theorem 1: Major Scam-Funding Flow
  • definition 7: Scam Cluster
  • definition 8
  • definition 9: Cluster-aware profit