Anti Scam & Rug pull Guide

The crypto world is full of opportunity. Especially among new tokens with smaller marketcaps, the upside potential is often much larger than that of BTC or ETH. Everyone hopes to find the next Dogecoin that will x100 within a month.

However, there is also a lot of risk to consider when investing in smaller projects. Many projects seem very promising at first, but turn out to be a scam just days later. The smart investor always applies DYOR - Do Your Own Research before investing.

But what do you need to look out for when DYOR? How can you avoid common scams and rug pulls when investing?

This document will show you a few tips & tricks that you can apply to avoid many scams that happen every day. Even when applying these tips, investing is not risk free - but after reading this, you will spot and avoid scams much faster.


1. Smart Contract Scan

Tokens (BEP-20, ERC-20 etc) are essentially smart contracts that you interact with. These smart contracts contain the logic of the token such as the transaction tax system, swap protocol and total supply.

Scam contracts can be detected with tools like http://www.bscheck.eu. They look for common scams and issues like:

  • Honeypot code - you can buy but you can’t sell
  • Contract owner - is the ownership renounced? If not, the owner can modify the smart contract later on, introducing new potential scam code.
  • Dev wallets info - do the devs hold a lot of coins? They could dump on the market and clear all liquidity.
  • LP (liquidity) info - is liquidity burned? Does the dev still own the LP tokens? If so, that’s bad because they can pull the liquidity any time.
  • Top token holders - are there big whales with a high % of tokens? They could instantly dump the entire token value.

If any of these issues arise, please proceed with caution, or avoid the project altogether. Another good source to check is https://tokensniffer.com which will also do a small automated contract audit.

Example scam result from bscscan.eu


2. Rugpulls - Analyzing Locked Liquidity

From what I’ve seen, rug pulls are the most common scam. A Rug pull is when the liquidity of a token traded on a DEX like Uniswap or PancakeSwap is “pulled” away. This results in investors being unable to buy or sell the token, making the token worthless.

Token devs have two options of eliminating the chance of pulling away liquidity: by burning or locking. But first it’s good to understand, in short, how liquidity works.

Liquidity can be provided by anyone but is often done by the token developers. For example: for the token pair BNB/SAFEMOON, the SafeMoon developers can send a bunch of BNB + SAFEMOON to PancakeSwap to provide liquidity. When users trade on PancakeSwap, they either add some BNB and get SAFEMOON in return (they buy SAFEMOON with BNB), or they add some SAFEMOON and get some BNB in return (they sell SAFEMOON with BNB).

So this liquidity is required for anyone to trade on a DEX like PancakeSwap and Uniswap. When liquidity is provided, the provider gets LP tokens in return. These tokens are the “proof” that they own a portion of the liquidity pool, and they can exchange these LP tokens for their stake in the liquidity pool, so in our example they could get BNB + SAFEMOON in return.

Now just think about what would happen if the liquidity provider would no longer have access to the LP tokens, then the liquidity cannot be removed, and investors can keep trading.

Burning LP tokens
The most secure and trustworthy way for token developers is when they burn their LP tokens to a burn address. A burn address for example that is often used is 0x000...00dEad. You can ask the developers for the transaction of LP tokens to this (or similar) address as proof. This way they cannot redeem their LP tokens and take away liquidity.

Locking LP tokens
Another option for the token developers would be to temporarily lock their LP tokens into a smart contract, so for example they cannot access it for 6 months. For example, you can see https://deeplock.io/safe to see tokens that use the DeepLock liquidity locker, what % of the token supply is locked and for how long. Ask the token devs of the token you are researching about their locked liquidity, they should be able to provide proof.

The DeepLock LP token locker


3. Investigate Website, Social Channels

On https://coinbuzzer.me, you can see all the social channels of a project. Have a look at the project’s website, see if all the information like smart contract matches with their other channels. Scams often put less effort into a good looking website with a lot of information than real projects. If the website is just one page with the smart contract and a telegram link, be careful.

Next, check the Telegram group, Twitter account, potentially Discord server and Reddit activity. Is there a lot of interaction? Does the Telegram group have a decent amount of users online compared to total users in the group? Low users online could indicate that a lot of bots fill up the Telegram group to “appear” active. Same goes for Twitter, if they have a lot of followers but hardly any interaction on their tweets, also be careful.


4. CoinGecko / CoinMarketCap / Exchanges Listings

When CG, when CMC? This is often asked in Telegram groups of tokens. CoinGecko and CoinMarketCap have their own listing process and requirements. Often they take a few days or weeks to list tokens. Even though some scams are listed, CoinGecko and CoinMarketCap listings can be a decent indicator of legitimacy of a project. You can easily see if a project is listed on CoinGecko or CoinMarketCap on coinbuzzer.me: just look for the icons of the two websites.

Exchanges have even stricter listing requirements than statistics websites. If a project is listed on gate.io for example, the chances of it being a scam decrease further. The more listings, the more legitimacy a project has.

Look for the CoinGecko and CoinMarketCap icons on CoinBuzzer.


5. Security Audits

As you can see, there is a lot that you need to check. Smart contracts can be really hard to read, and scams can be well hidden. Luckily, there are companies like https://techrate.org/ that provide a paid service of checking smart contracts. Here you can find all the smart contract audits that they did: https://github.com/TechRate/Smart-Contract-Audits.

Look for security audits of companies like these and verify they are real. This adds a lot of legitimacy to the project, and takes away a lot of scam opportunities via the smart contract.

Audits by companies like TechRate add a lot of legitimacy to a project.

6. Doxxed devs

“Doxxed” means that someone’s identity has been exposed. Although often used in a negative way, in cryptocurrency doxxed developers is a good thing. This means that the token developers exposed their real identities and their faces, and can be a sign of trust. Be careful however, they could be using fake identities.


7. Use Your Common Sense

In the end, a project can check all the boxes, but can still end up being a scam. Please be careful when investing and use your common sense. If something seems too good to be true, like a project promising 100% BNB returns within a week, if often is too good to be true.


This can all be hard to remember. That’s why we have created the ultimate anti-scam, anti-rug pull checklist to help you invest safely. But please note, this is not a 100% guarantee against scams.

Thanks for reading, be careful when investing, and have a great day!

Matt
Owner, CoinBuzzer.me