How to Tell If You’re About to Get Rugged in DeFi
Rugged. Rekt. Bag-holder.
You’ve definitely heard the phrases before if you’ve spent any amount of time in DeFi. They mean your initial investment is gone or worth almost nothing.
This can happen on purpose, due to neglect, stupidity, obstinance or all of the above. Now you’re left trying to pick up the leftovers and move on from your initial investment. So, how do you know when something has a high likelihood of screwing you over? And what can you do to lower your risk?
DYOR — Get to know the code
“Hey has anyone heard anything about that new project PolyMeth? Are my funds safu there?”
Do your own research. Asking a Discord channel or on Twitter isn’t gonna get you the information you need to avoid getting rugged. Read the code, watch for warning signs, and always be on the lookout for weird action on the network.
Read the code
When it comes to DeFi smart contracts are the only thing you should trust. If you can’t see the contract on Etherscan or Polygonscan that’s a good sign to get out. Start learning from the best and review a masterchef from the likes of Sushi, Aave, or other trustworthy, longstanding, projects. From that, you’ll also learn what good clean code looks like.
I acknowledge, not everyone can read code, but there are increasingly more and more resources out there to learn how to do so, or compare forks of various projects. Interested in getting started analyzing code? Try out this list of tools.
Watch out for bad code
I won’t pretend I know everything about smart contracts and Solidity, but I know there are some bad practices out there you should watch for. This is just a start, and I realize requires more than a basic knowledge of coding. Skip on to the next section if for more resources that don’t require knowing something about solidity.
Bad code practices to watch out for:
- Unverified code that can’t be viewed and therefore checked for malicious actions
- A contract that can mint tokens willy-nilly without community involvement
- Custodial contracts that take over your token
- Withdraw commands that can assign unreasonable fees or be changed arbitrarily
- Lack of a significant timelock (24 hours or longer) on important parts of the protocol — allowing supporters to monitor and respond before an event comes crashing down on them
- An unaccounted pool that the main site says nothing about and can allow the owner to siphon off funds
As you learn more you’ll be able to identify these in the code or at least chat with other community members about them. It never hurts to ask questions on something and if a dev. team can’t answer your question thoroughly, beware!
Track the transactions
Check out the transactions for a contract on Etherscan or Polygonscan and watch for odd moves from dev. wallets. If something looks nefarious or wrong, it probably is, and the dev. team should be asked about it.
A good dev. will always give you space to ask questions.
If you can’t read code or understand transactions on the network that’s alright, but it’s one of the best ways to watch out for bad actors. Read on for more!
Understand the tokenomics
Any good DeFi project will explain how the protocol works, your place in it, what value the system creates, and the usefulness of its token(s).
- If the token is just there to reward you… it’s basically cheese on a rat trap.
- If the token market supply never stops growing it will eventually be worth zero. Guaranteed.
- If the only way to make the token worth anything is buying and burning it, eventually the fire will die off.
It’s not all just about the token though. You need to make sure the whole system works together. A good token + a fatal flaw in the protocol still means you lose.
If it’s too good to be true, it probably is
That absolutely insane APY (annual percentage yield) got your mouth watering? Think about how those APYs work. Have they been justified in any way? Do those high numbers go up only when a lot of people are coming in and the TVL (total value locked) is increasing? What happens when it goes down and you’re still invested? Even worse, what if you bought in right at the top and it’s only down from there? If something sounds too good to be true it probably is. No — it definitely is.
Meet your dev. team
A quality sign of any developer is you know their name and face. Anonymity can mean a lack of accountability.
Or maybe the dev. isn’t fully doxxed but at least partially to their other team members. That’s better than nothing.
Perhaps for various reasons they are anonymous. This can be alright if the dev. holds themselves accountable to the community, transparent, responsive to questions/challenges, and make changes based on your feedback.
Oh, and if they are willing to refund you due to their mistake follow them to the ends of the earth.
Good developers do work, bad ones stagnate
Another great sign that a developer is trustworthy?
- They work on the protocol and want to see things grow in a healthy way.
- They try and make connections with other projects on DeFi.
- They are open to quality input from the community and seek it out.
- They research and are constantly trying new things out.
- They don’t sit idly after a launch, but are hiring, coding, and buidling every chance they can.
The community benefits, trust grows, and the protocol works better.
Trust the real experts
Not sure you can do all this on your own? Research trustworthy auditors (some are WAY better than others) read their reports, and stop trusting them when they fail.
A good auditor has multiple reviews under their belt and a high-standard of the projects they will take on. They often take time to explain how safety in DeFi works and are transparent about EVERYTHING. Also, if their audit contains several spelling errors it means they don’t care about details. Do. Not. Trust.
NEVER ever just go on the word of some random “rug-prevention” site, especially if it sells ads for farms, refuses to review complicated code or do in-depth analysis, and repeatedly ends up having to update their initial assessments of DeFi projects because they missed something in the first round.
The proof is in the pudding.
Wait for the audit
If an audit is started but not public just yet, ask if the wait is worth it before yolo-ing in. It usually is. Short-term gains don’t matter if you lose them all in the end. You can wait a couple of weeks, and if not the project probably isn’t worth investing in.
Ready to invest? De-risk
Done your initial research and now want to dip into that DeFi project? Make sure to lower your risk as much as possible.
Try out a test transaction
First, try a test of that new farm or bridge. It may cost you a small fee but that is way better than a huge loss. Use a small amount to see how things go. Are you able to withdraw without delay and any extra fees being taken away? Does the transaction history interact with the contract you were expecting? Trust but verify.
Don’t put all your eggs in one basket
Avoid the temptation to put everything into that one incredible project. Risks in DeFi are multiplied from traditional banking: there is less accountability, regulation, etc. If you go with only one project you are increasing your risk-plane.
A smart investor doesn’t put all their money in any one place. They hedge their bets against all sorts of risks. That means not putting 100% into any single project unless you absolutely believe in it.
Instead, diversify what tokens you hold, where, and remember that it is always okay to take profit.
It’s okay to make smaller, long-term, consistent gains
DeFi can be a dangerous place. Those high APYs might cost you everything you have. Better to average it out in several safe spots than ape into something that costs you all your coin and kicks you from doing anything. Think about the long-term and how something can be sustainable.
Oh, and never invest what you can’t lose.
Thanks for reading and please remember to follow here, share, and connect with me on Twitter.
