So I was just rug pulled by a yield farming project on the Fantom Opera Chain. “Rug pull”? That’s crypto slang for: a project team ran away with the money of their project.
When I entered the DeFi space, I kept hearing that term. As most developers are anonymous in crypto, there is a lot of trust involved. Especially when you put your money into other people’s websites. So what exactly is a rug pull?
As many projects like yield farms or yield aggregators are open source, they can quite easily be copied and that means there can be low-effort versions of existing sites, often putting minimal effort into the project. This can be due to lack of knowledge or in the case of a rug pull - with malicious intent.
There are many ways to scam people and run away with their money. Developers can for example set up a copy of a yield farm with special methods that allow them to access the user's funds. In a security audit such backdoors would most likely be found but with new farms popping up left and right sometimes people don’t want to wait for an audit.
But back to my story. The project that rugged me was a clone of the well known autofarm from Binance Smart Chain. Autofarm was actually the first project I got into when I started my DeFi journey on BSC. As Fantom Opera and Binance Smart Chain are both Ethereum Virtual Machine (EVM) compatible, it is quite easy to copy existing projects over.
I was following the project for a bit: I joined their Telegram Group very early, started farming in the pools when the native token that you earned while your farms here auto-compounding was printed like crazy and worth quite a bit. They had an active community, everything was looking good.
During the big Bitcoin crash in May the price of the token dropped quite a bit like everything else in DeFi or even whole crypto but they kept adding farms and fixing problems so I trusted that even the native token might recover. But I also noticed that I had some doubts in the back of my head. New farms popped up and I moved my funds to other platforms.
Then one day they started a marketing campaign which was supposed to take a whole week to celebrate the start of another farm (Waka Swap). They had some new, boosted pools with even higher returns and started to track the Total Value Locked (TVL) in these new pools to burn some tokens whenever a new milestone was reached.
Luckily I was not on the computer that day, these new boosted farms would’ve looked very promising for me. I was just farming their native token in a pool and waiting for the price recovery. Trying to claim my rewards I went to their website just to be greeted with the “This site can’t be reached”. At first I thought something must be wrong with my internet but I soon realized their site was down.
I went to check their Telegram - but the group was now private! Their twitter was deleted. I still gave them the benefit of the doubt. Maybe they were hacked? In hindsight I was super naive but I also knew I had to get the funds I still had with them. Fortunately, I had read about these scenarios and even without the website you could interact with the smart contracts.
Vfat.tools entering the stage. Yes, that handy tool is a link already. Vfat.tools deserves their own article but in short they are an open source project which provides an alternative frontend to most yield farms on most blockchains. Yeah that’s right, they cover BSC, Fantom, Avalanche, Tron, Heco, Polygon and some more I never even heard off!
Not only can you see all the available pools but you can even interact with the contracts: Staking, Unstaking and even claiming your profits. Also, the site calculates your Daily, Weekly and Yearly profits rates (APR). I tried to unstake my LP tokens, but it didn’t work. This was really looking grim, I waved goodbye to some of my funds already, mentally.
But I knew you could also interact with the contract directly through the Block explorer, ftmscan.com in this case. It allows you to call the smart contract methods directly. So I got the smart contract address, went to Ftmscan and looked for the “emergencyWithdrawl” function.
Now that function is expecting an input in the form of a number, which is the pool id. I found out that this is unique for everyone and that vfat.tools gives you exactly your id for every pool. With that I was able to withdraw my LP tokens and get out of my first rug pull with just a few scratches and some lessons learned:
- Don’t let greed and big returns get into your way
- Never invest funds you are not willing to lose in un-audited projects
- Trust your gut when it comes to new projects. If it feels low effort, it most likely is and there will be much better projects out there.
Have you ever been rug pulled? Let me know in the comments.
Until next time!
None of this is financial advice. Please always do your own research.
If you would like to support my work, consider using the following affiliate links:
Start earning dividends on your crypto - create an account with CakeDefi today, get $30 for depositing funds worth $50!
SignUp for a free publish0x account and start earning crypto for reading or writing!
Register with Binance* the biggest Exchange by volume and save 10% off trading fees forever!
1INCH Router* - Dex Router/Aggregator for lowest slippage on ETH, BSC & Polygon