The Road to Rugpull is almost always paved with good intentions. You may be surprised to read that. Another surprise: when people think of rugpulls they envision some shady hacker writing some extra tricky backdoor in the code that will drain everyone’s wallets as soon as they connect. Well, after auditing hundreds of contracts, I can tell you that the majority of them just aren’t that sophisticated. Web3 is still very much a copy-and-paste industry and I see a lot of the same mistakes pop up over and over again; something that indicates to me that the developer who wrote it is inexperienced. So, if not some super-pro mega-hacker, who is doing these rugpulls? And how can you protect yourself?
When I was 17 one summer, I found an ad pinned underneath my windshield for a company that was hosting open interviews in a town nearby. As a broke teenager, I needed a job. So on the day-of, I threw on a suit and a nice tie and went to the address on the ad. I remember parking my car and walking up and down the street, going around the block several times under the hot sun, looking for a sign that matched the name of this company. After awhile, I just assumed the address was wrong. So I headed back to my car, which was parked in front of some shady-looking warehouse with weeds growing out of the cracks in its parking lot. I thought, maybe. I decided to go around to the front and check. The address matched.
I walked inside and the lights are off and a video is playing on a projector screen. I was greeted by a man standing in front of maybe 10 or 11 other people sitting in chairs. I apologized for being late and explained I had trouble finding the place. The man in front assured me it was ok and to take a seat in the back. He was really giddy and positive. He really didn’t seem to mind that I was maybe 15–20 minutes late. A wave of relief washed over me. As the orientation movie continued playing, I quickly gathered that the company was about door-to-door selling kitchen knives or something like that. I was almost certain that I had received a letter in the mail inviting me to interview at a similar company. I wondered if kitchen knives were really that in-demand that you could make a career selling them door-to-door. As I looked around, I noticed something pretty odd: of all the offices I had ever visited, they all established some type of permanance or intent to be there for a long time. What I mean is, usually I saw: desktop computers not laptops, comfy chairs not foldouts, heavy wooden desks not Rubbermaid banquet tables; pictures and posters on the wall, clutter on the desks and floor, industrial-sized printers. I saw none of that in this “office.” I started to feel uneasy.
During the break, I made up an excuse that I had to pay my parking meter or something. The overly-positive, always smiling “interviewer” damn near followed me out the door. “Oh, I’m sure it’s okay…If you leave now, you might miss out on some important details…Are you sure? Just five minutes? You look like a guy who’s super-motivated. You’re not running away from the challenge are you?”
“To be honest,” I said quietly. “I just get the feeling that if I come back here next week, none of this will be here.”
“Why do you say that?”
Then I proceed to point out everything I just mentioned. I don’t know why I did. I guess I was just a very blunt teenager. The look in his eyes — it was like of all the shitty objections he had prepared counters for, to this, the dude had absolutely nothing. I think he let me go without a fight just as a thank you for not blowing his spot up in front of everyone. I left without a commotion, and I felt bad for the people that were still in there. If it was that obvious to me, I wondered why it wasn’t to everyone else. More on that in a bit.
If you were ever a broke kid who spent your summer going door-to-door asking for work, then you have more than likely been approached with some bullshit like this. And if you didn’t call it out immediately, or maybe even participated in it for awhile, it was likely only because you were a broke kid. You were desperate. You didn’t have a lot of opportunities.
Oftentimes, from the day a developer joins a team, there are conversations being had that the dev isn’t privy too. The dev doesn’t know these people, maybe they don’t trust the dev entirely either. And on the day everyone decides to scram, a lot of times it’s the dev standing there in that empty warehouse that use to be an “office.”
It happens way more often than you think. I’ve got the scars to prove it. It would be people you would never expect to have that little integrity:
“Oh I’m the exec at XYZ firm…I own an IT company… I’m friends with XYZ celebrity…”
The internet is a place a lot of these grifters can go, put up a website and a cheap headshot, then vanish, change numbers, and do it all again if they have to.
Even with that said, I have to reemphasize something: it’s not always intentional. A lot of people, no doubt, come into the web3 space thinking they can just poop out some shitty collection of 10,000 Hashlips-generated jpegs and make millions of dollars. They put out roadmaps promising alpha-baller pool parties in Vegas but in the Metaverse, and all sorts of other stuff, but they never truly deal with the question: who pays for it all if it doesn’t work out?
While it is understood that there’s a risk to every investment and not everything works out and that’s just how it goes, only in metaverse would a person attempt to dine-and-dash on the bill and not expect any consequences. I can live with not receiving a return on an investment. You didn’t pay what you owe.
My lessons from both the real world and the metaverse shape my analysis today on how to spot a rugpull, from the well-intentioned, in-over-his-head founder, to the malicious cretin who knows exactly what he’s doing.
Tokenomics
When I look at a project’s tokenomics, I analyze the following factors: utility, allocation, emissions, supply control, and monetary policy. Price isn’t really super probative here. But if a project has no utility, or the utility is vague or something that’s not even possible, or a huge giant chunk of the supply is getting released all at the beginning and most of it is going to the founders and private investors, whether they mean to or not is inconsquential to the people left holding the bag — this project is going to tank and in most cases, the founding team was at the very minimum grossly negligent in the way they executed their plans.
Smart Contract
The owner retains way too much control after deployment. They own a huge chunk of the supply, can mint whenever they want, can increase or decrease fees, can airdrop any amount, etc. Basically, when things start to fall apart they can do just about whatever they want to protect themselves and maybe even get out before you even know what’s happening.
Team
For the reasons I mentioned earlier, the team of founders, whether doxxed or not, doesn’t mean as much as the first two. The internet is such a vast place, it doesn’t really take much for a person to delete any ties they had to a previous rugpull and move onto the next thing.
Company
I think this criterion is what separates my analysis from others. Just like the 17-year-old kid showing up to a job interview in front of a warehouse where the grass isn’t cut and there’s nothing anchored down inside the office, I care less about who the “face” of the company is than whether there is a company that I can search on a business registry. Are they incorporated? If not in the U.S., where? If the founders squirm away, is there someone I can sue and how hard was it to find all this information? Keep in mind that just because a company is incorporated doesn’t mean it’s not a sham company that might fold like a house of cards the moment the founders decide to flee. However, if you ask all these questions before investing in a sketchy project, you will probably be less likely to invest if the company itself displays these warning signs.
Roadmap
I actually place the least amount of significance on the roadmap after all these other factors. I understand that web3 is a rapidly changing field and teams have to pivot and adjust as they go. But a huge red flag for roadmaps is where you see milestones that are result-based rather than action-based. You see this often with projects that say things like: “when our floor price is 1ETH, we will do X” or “after we have generated $10 million in revenue,” these are results-based milestones and they are very whimsical. Milestones like this indicate to me that the founding team has not put enough thought into how they will reach these milestones. A 1 ETH floor price is an objective. An action-based milestone would include key performance indicators and plan of execution to improve on those indicators. A result-based roadmap just shows me that the team is giving itself an out if the project doesn’t go straight to the moon right away.
Those are the five major areas I look at to help clients steer clear of shaky web3 projects. Hopefully, you found it inciteful, if not entertaining. And if ever in doubt, just think back to 17-year-old me sitting in that sketchy warehouse with the guy trying to convince me to buy a box of knives. If you wouldn’t do it in real life, don’t let a grifter trick you into doing it on the internet.
