Rug Pull
A scam where project developers abandon a protocol and steal user funds. Common in unaudited DeFi projects. Always verify audit reports, team identity, and TVL history before depositing.
Developers launch a lending or liquidity protocol, attract deposits, then drain the treasury and disappear. That's a rug pull. The name comes from the image of yanking a rug out from under someone — one moment you have footing, the next you're on the floor with empty pockets.
For anyone depositing funds into a DeFi lending pool, this isn't an abstract threat. Your capital is only as safe as the code holding it — and the people who wrote that code.
How It Works
Most rug pulls follow a predictable script. Developers deploy a smart contract, advertise eye-catching yields — sometimes 200% APY or higher — and let deposits accumulate. Once TVL (total value locked, the sum of all deposited funds) reaches a target, they trigger a hidden backdoor function and transfer everything to their own wallets.
The backdoor is usually baked in at launch. It might be an admin key with unlimited withdrawal rights, a minting function that lets developers create infinite tokens and dump them, or a liquidity pool where developers hold 90% of the LP tokens and can drain the pool in a single transaction.
Speed is the weapon. A smart contract can execute a full drain in seconds. By the time on-chain alerts fire and users notice the token price collapsing, the funds are already moving through a mixer. There's no dispute resolution, no fraud department, no chargeback.
Why It Matters
Rug pulls hit lending protocols especially hard because depositors aren't trading — they're trying to earn yield safely. A borrower who posted collateral loses that collateral. A lender who deposited stablecoins loses the principal. The loss is total and usually unrecoverable.
What is DeFi?
Decentralized Finance — financial services built on blockchain smart contracts that operate without intermediaries. DeFi lending allows users to lend and borrow directly through protocols rather than banks.
Full glossary entryBill's Take
In 25 years of mortgage lending, the closest parallel I saw was mortgage fraud — a broker who originates a loan with fabricated documents, collects the fee, and leaves the lender holding a worthless note. The mechanics differ, but the pattern is identical: someone in a position of trust exploits information asymmetry to steal. The difference in DeFi is there's no regulator, no E&O insurance, and no courthouse to file in.
What to Watch
The most dangerous rug pulls look legitimate on the surface. A slick UI, a white paper, even a partial audit — none of that guarantees safety if the audit didn't cover admin key privileges or token minting functions. Anonymous teams aren't automatically fraudulent, but an anonymous team with unaudited admin controls is a serious red flag.
Three things worth checking before depositing: whether the smart contract has been audited by a reputable firm (and whether the audit specifically reviewed admin functions), whether liquidity is locked or time-locked so developers can't drain it instantly, and whether the TVL history shows sudden large inflows — that pattern sometimes signals a coordinated pump before an exit.
Audits Have Limits
A completed audit is not a guarantee. Auditors review the code they're shown — they can't audit intent. Some rug pulls have occurred on audited protocols where developers retained privileged admin keys the audit flagged but didn't require to be removed. Read the audit report, not just the badge.
Master Crypto Lending
Get weekly deep-dives on concepts like rug pull, platform analysis, and market trends. Free, no spam.