How To Cook The Fragmented Rug Pull?
Minh Trung Tran, Nasrin Sohrabi, Zahir Tari, Qin Wang
TL;DR
This work identifies fragmented rug pulls (FRP) as a class of DeFi exits where attackers retain liquidity-pool control while draining through many small, time-distributed trades and multi-wallet delegation, thereby evading traditional per-transaction detection. The authors decompose canonical rug-pull heuristics into three atomic predicates (A: LP control, B: exit fragmentation, C: identity obfuscation) and formalize FRP as a generalizable model with parameters (N, Ka, v) to unify single- and multi-wallet strategies. A large-scale, six-DEX on-chain measurement labels 105,434 FRP pools among 303,614 short-lived pools, revealing a market-wide shift from owner-led exits to delegated, multi-wallet campaigns and a rise in recurring distributor wallets. The paper provides a reproducible FRP dataset and analysis toolkit, derives practical early-warning indicators, and discusses mitigation strategies for DeFi ecosystems, highlighting the need for behavior-based detection over isolated event signaling. collectively, the work reframes rug-pull detection as a problem of aggregated, predicate-based reasoning over on-chain activity, enabling more robust defense against evolving fraud patterns.
Abstract
Existing rug pull detectors assume a simple workflow: the deployer keeps liquidity pool (LP) tokens and performs one or a few large sells (within a day) that collapse the pool and cash out. In practice, however, many real-world exits violate these assumptions by splitting the attack across both time and actor dimensions: attackers break total extraction into many low-impact trades and route proceeds through multiple non-owner addresses, producing low-visibility drains. We formalize this family of attacks as the fragmented rug pull (FRP) and offer a compact recipe for a slow-stewed beef special: (i) keep the lid on (to preserve LP control so on-chain extraction remains feasible), (ii) chop thin slices (to split the total exit volume into many low-impact micro-trades that individually fall below impact thresholds), and (iii) pass the ladle (to delegate sells across multiple wallets so that each participant takes a small share of the extraction). Technically, we define three atomic predicate groups and show that their orthogonal combinations yield evasive strategies overlooked by prior heuristics (USENIX Sec 19, USENIX Sec 23). We validate the model with large-scale measurements. Our corpus contains 303,614 LPs, among which 105,434 are labeled as FRP pools. The labeled subset includes 34,192,767 pool-related transactions and 401,838 inflated-seller wallets, involving 1,501,408 unique interacting addresses. Notably, owner-wallet participation in inflated selling among FRP-flagged LPs has declined substantially (33.1% of cases), indicating a shift in scam behavior: the liquidity drain is no longer held on the owner wallet. We also detected 127,252 wallets acting as serial scammers when repeatedly engaging in inflated selling across multiple FRP LPs. Our empirical findings demonstrate that the evasive strategies we define are widespread and operationally significant.