Smart Contract Security · Term

What is a rug pull?

A rug pull is when a project’s own creators drain its funds or disable selling, leaving holders with worthless tokens. It is fraud built into the contract or its controls. Here is what to look for.

Smart Contract Security · TermSmart Contract Audit
TL;DR

A rug pull is a crypto scam where a project’s own developers deliberately drain its funds or destroy its value, abandoning investors. It is not an external hack but insider fraud, enabled by excessive privileges in the contract: an owner who can mint unlimited tokens, withdraw the liquidity pool, pause selling (a honeypot), or change fees to 100%. The defense is verifying what the team can do: audited code, locked or renounced privileges, locked liquidity, and transparent, time-locked controls before you trust a project.

By SecureLayer7 Audit Team, Smart Contract Audit, SecureLayer7Updated

What it is

Most attacks come from outsiders. A rug pull comes from the insiders, the project team uses powers they built into the contract to take the money and run or to trap holders.

It is fundamentally about trust and privilege: if the deployer retains the ability to drain liquidity, mint freely, or block sales, then investors are relying entirely on the team’s honesty. A rug pull is exercising those powers maliciously.

How it works and red flags

Common rug-pull mechanisms:

  • Liquidity removal: the team holds the liquidity-pool tokens and withdraws the entire pool, leaving the token untradeable and worthless.
  • Unlimited mint: an owner-only mint lets them create and dump endless tokens.
  • Honeypot / sell-disable: hidden logic lets the owner block holders from selling while they exit.
  • Fee manipulation: the owner sets the transfer/sell fee to ~100%, capturing everything.
  • Hidden privileges in a proxy/upgrade that change the rules later.

These are checked before investing, not after. Documented for defensive context.

How to spot and prevent it

  • Check owner privileges: can anyone mint, drain liquidity, pause transfers, or change fees? Excessive owner power is the warning sign.
  • Verify locked liquidity (time-locked LP) and renounced or time-locked ownership of critical functions.
  • Require a credible audit and verified, published source code, not unverified bytecode.
  • Look for honeypot logic that blocks selling, and test sells on testnets/simulators.
  • Favor transparent teams with multisig and timelocks over anonymous unlimited-control deployers.

References

  1. [1]OWASP Smart Contract Top 10(OWASP)
  2. [2]Ethereum.org: Smart contract security(Ethereum.org)
  3. [3]SWC Registry: Smart Contract Weakness Classification(SWC Registry)
Related terms

Common questions

Smart contract security, asked often

Shipping a contract on-chain soon?

Scope an audit

Get your smart contracts audited before they go on-chain.

Our auditors review your Solidity line by line and model the economic attacks a real adversary would run, then deliver a report your team can act on with every finding reproduced and a fix. Re-test of fixes included.

See smart contract audit30-min scoping call, fixed-price proposal in 48 hours.