A CertiK security analysis has found that over 50 so-called decentralized finance (DeFi) and non-fungible token or NFT projects may have “critical” vulnerabilities.
CertiK wrote in a blog post that they “feel obligated to share these insights” with their community members. According to the blockchain security firm, all of these contracts “share three code-based features that enable the developers to rugpull.”
A rug pull occurs when app developers siphon off the investors’ funds and (usually quite abruptly) abandon the project after a very large amount is allocated to the fake crypto or DeFi project. These projects are typically launched by entities with malicious intent.
Infinite Supply
As noted in the report:
“By calling the function rewardHolders(uint256 amount) external onlyOwner, the address that created the contract has the power to give itself an unlimited number of tokens on top of the already circulating supply. This means that the owner can mint as many tokens as they like and then sell them all on the open market, making a profit at the expense of everyone else holding the token.”
2. Blacklisting
As mentioned in the update from CertiK, the contract owner has the “power to whitelist or blacklist all addresses.” Using the function includeInReward(address account) external onlyMaster, the owner can “set an address — or multiple addresses — that is allowed to transfer tokens.”
If _marketersAndDevs[sender] and _marketersAndDevs[recipient] “are both false, the transfer will not succeed.”
3. Limited Selling
The report further noted that “selling is restricted using the canTransfer function.”
This means that tokenholders are “unable to sell their tokens on PancakeSwap or other DEXs where the asset is purportedly traded.”
The report from CertiK further revealed:
“Additionally, none of these 50 projects have more than 36 different sellers. The majority have only a single-digit number of wallets who have ‘sold’ tokens. Wallets that hold a large proportion of the supply is also a concern. Controlling a double-digit percentage of all tokens means that the price can be easily manipulated by that holder — usually to the downside.”
You may find the complete list of projects with these “code vulnerabilities” along with the number of unique sellers and largest wallets by checking here.