According to research conducted by blockchain security firm Hacken, the majority of crypto projects that rug-pulled in the third quarter of 2023 did not have audit reports. The Q3 2023 Security Insights report found that out of the 78 examined rug pulls, only 12 had conducted and reported audits. This indicates that most rug-pulled projects are not audited.
An independent third-party audit provides a thorough review of a token, identifies vulnerabilities in the project, and alerts investors. Hacken noted that rug pulls are one of the simplest scams to prevent, as investors can understand the patterns associated with them. One such pattern is the presence or absence of an audit.
However, it is important to note that even though an independent third-party audit may validate a project’s authenticity, it does not guarantee protection from a sudden withdrawal of liquidity. A project can undergo an audit, publish a report, and still make malicious changes to its tokenomics and smart contract, defrauding users.
Among the projects that were rug-pulled last quarter, some had been audited but received poor scores. Unfortunately, users ignored the audit results, believing that the fact that the projects were audited was sufficient. This was the case with Magnate Finance, a lending protocol based on crypto exchange Coinbase’s Base network. The audit stated that the project’s deployer could manipulate the token, but users did not pay attention to these findings.
“Token owners continued to participate in the protocol for almost three months after the audit results. And by the end of August, the deployer had removed liquidity from LPs in multiple transactions. As a result, we got the 2nd largest rug pull this quarter with over $5 million stolen,” Hacken said.
A similar experience occurred with users of the decentralized crypto staking platform DeFiLabs. An audit conducted by blockchain security firm CertiK revealed a centralization risk within the project’s contracts, but users did not show concern about the warnings. Eventually, the platform rug-pulled and disappeared with $1.4 million worth of users’ assets.
In their research, Hacken identified a common pattern among rug pulls. Developers of malicious projects typically follow five steps: creating the tokens, aggressively marketing them, inflating the tokens’ supply as liquidity accumulates, vanishing with drained funds, and leaving investors with worthless assets.