Liquidity Pool Rug Pulls: On-Chain Patterns That Predict Exit Scams Before They Happen
Liquidity Pool Rug Pulls: On-Chain Patterns That Predict Exit Scams Before They Happen
Every rug pull leaves fingerprints before it leaves a crater. The signals exist. People just keep staring at price charts when they should be reading bytecode and wallet flows. By the time a token goes vertical and then nukes, the on-chain evidence was usually sitting there for days. Sometimes weeks.
I've watched enough of these play out to say it flatly. The patterns repeat. Devs don't get more creative, they just get faster. So if you know what to look for in the contract, the LP, and the deployer wallet, you can sidestep a meaningful chunk of these before they detonate. That's the entire premise behind BlockVet, and the actual predictive signals are worth unpacking.
Anatomy of an LP rug
At its most basic, an LP rug is when a project team drains the paired asset (ETH, BNB, a stablecoin, whatever) out of a DEX pool, leaving holders with a token that has no exit liquidity. Two flavors. The hard rug, where the contract itself contains malicious functions that let the deployer mint infinite supply, blacklist sellers, or bypass the LP lock. And the soft rug, where the team just walks. Dumps their bag into the pool, pulls liquidity, ghosts the Telegram.
Both are predictable. Not always. But often enough that ignoring the signals is a choice.
The LP lock that isn't really a lock
"Liquidity locked for 12 months" is the most abused phrase in this space. The lock itself is real maybe 70% of the time. The other 30% is where it gets fun.
Sometimes the lock contract is custom, written by the deployer. Look at who owns the lock. If it's a contract the same wallet deployed two days before the token, that's not a lock. That's theater. Real locks use established services with audited timelock contracts. Verify the lock address against the actual locker contract, not a screenshot in the docs.
Other times only a fraction of the LP tokens are locked. The team locks 60%, keeps 40% liquid in a wallet labeled "marketing," and that 40% is what comes out the night the chart dies. Always check the percentage of total LP supply that's actually time-locked, not just whether a lock exists.
Deployer wallet behavior
This is the one most retail traders never look at. And it's probably the highest-signal data point available.
Pull up the deployer address on a block explorer. Now ask: where did the gas come from to deploy this contract? If the funding wallet traces back through Tornado Cash, or hops through three fresh wallets created the same week, you're looking at someone deliberately obscuring their identity. Legitimate teams aren't always doxxed, fine. But they're also not laundering their gas money before launch.
Then look at what else that deployer has touched. Etherscan and BscScan both show every contract a wallet has ever deployed. A deployer with four previous tokens, all of which look like a heart-rate flatline, is telling you everything. Serial ruggers reuse wallets more than you'd think. Partly laziness, partly because keeping a clean wallet chain takes real effort.
Contract permissions nobody puts in the whitepaper
Read the contract. Or have something read it for you. The functions that should set off alarms:
Owner-accessible mint. If the owner can mint new tokens after launch, supply is meaningless and your bag dilutes to zero in a single transaction. Some contracts hide this behind innocuous names like _update or rebase.
Blacklist functions that never get renounced. Anti-bot protection at launch is normal. Keeping the ability to blacklist any wallet six months in is not. This is how honeypots work. You can buy, but when you try to sell, the function reverts because your address was quietly added to a blocked list.
Modifiable fees with no upper bound. A contract where the owner can set the sell tax to 99% is a rug with extra steps. Fee modification needs a hardcoded ceiling in the contract itself, something like require(fee <= 10). If that line isn't there, the team can choke off selling whenever they feel like it.
Upgradeable proxies. Proxies have legitimate uses. In a small-cap token launch, they're usually a backdoor. The team can push a new implementation that changes the rules entirely. Honest projects either don't use proxies or pair them with multi-sig governance and timelocks long enough for holders to exit.
Holder distribution that doesn't add up
Pull the top 100 holders. A healthy distribution after a fair launch usually looks like this: LP contract at the top, a handful of larger holders in the 1-3% range, then a long tail. What you don't want to see:
One wallet holding 15% that isn't the LP or a lock. Or ten wallets, all funded from the same source within an hour of each other, each holding 2-4%. That's a coordinated team bag waiting to dump in sequence so it looks like organic selling.
The trick is following the funding graph backwards. Most rug teams aren't sophisticated enough to fund their dump wallets through independent CEX withdrawals. They send everything from one source wallet. And that source wallet is usually one or two hops from the deployer.
The social-to-on-chain mismatch
This one's softer but worth mentioning. When the Telegram has 40,000 members and the token has 380 unique holders, something is being faked. Usually the Telegram. Sometimes the holder count, wash-traded across a hundred fresh wallets to manufacture buzz. Either way, the gap between social presence and on-chain reality is a tell. Real organic growth doesn't produce those ratios.
Why most "audits" miss this
Here's the honest version. A lot of audit reports are static. A firm reviews the contract code at a single point in time, issues a PDF, and the project slaps the logo on their website. Six weeks later, the team upgrades the contract via proxy, swaps in malicious logic, and the audit badge is still on the landing page. The audit was real. The protection it provided was not.
This is why continuous monitoring matters more than a single sign-off. CertiK, Quantstamp, OpenZeppelin, Trail of Bits, SlowMist, Hacken, ConsenSys Diligence. All of them produce solid point-in-time work. The question is what happens between audit day and the day the rug hits. A one-shot deliverable doesn't catch behavioral signals like sudden LP token movement, a deployer wallet waking up, or a proxy upgrade pushed at 3am UTC.
BlockVet leans on the dashboard side of this: live monitoring across more than 3,000 projects, security scoring that updates as conditions change, and watchlists so the projects you actually care about surface warning signs in real time instead of getting buried in a block explorer tab you forgot to refresh. Trending, pre-launch, new launches, blue chips, all in one view with news flow attached. For a trader or analyst trying to read intent before the dump, that's the gap between a static report and an actual intelligence feed.
A checklist before you ape
If you take one thing from this, take this list. Run it before any small-cap entry.
- Verify the LP lock contract against a known locker, and confirm the percentage locked.
- Trace the deployer's funding source back at least three hops. Mixer in the chain? Walk away.
- Read the contract for mint, blacklist, fee-modification, and upgrade functions. If any are present without renouncement or hard caps, cut your size hard or skip it entirely.
- Check the top 100 holders for clustered wallets funded from a single source.
- Compare social metrics to actual on-chain holder count and transaction velocity. If the ratio is absurd, the buzz is manufactured.
None of this guarantees you avoid every rug. A motivated, technically capable team can build a contract that passes a casual review and still walks out the door clean. But the vast majority of exit scams aren't sophisticated. They're just fast, and they rely on retail not bothering to look. The signals are public. The blockchain is, in the end, the one thing scammers can't lie on.
If you want a faster way to surface these patterns across thousands of projects without grepping block explorers until 4am, that's the gap CreatorFetch partner BlockVet built itself around. Either way, the patterns are out there. Read them before the chart does it for you.
Written by the CreatorFetch.com editorial team.