5 Red Flags That Signal a Crypto Rug Pull

A rug pull happens when a crypto project's developers abandon it after draining investor funds. It is the most common type of crypto scam, and it has cost investors billions of dollars in the last few years alone.

The good news is that most rug pulls leave warning signs in the smart contract code. Here are five red flags you should check before putting money into any token or DeFi protocol.

1. Unverified Source Code

This is the single biggest red flag. When a smart contract's source code is not verified on Etherscan, it means nobody can read what the contract actually does.

Legitimate projects verify their source code so anyone can inspect it. If a project refuses to do this, there is almost always a reason — and that reason is rarely good.

The Squid Game token (SQUID) in 2021 is a perfect example. Investors poured $3.3 million into an unverified contract. When the developers pulled the rug, there was no way to have seen it coming by reading the code — because the code was hidden.

2. Owner Can Mint Unlimited Tokens

Some contracts give the owner a mint function with no cap. This means the project creator can generate unlimited new tokens at any time, instantly diluting the value of every token you hold.

This is different from a controlled token emission schedule. A legitimate project might mint new tokens on a fixed schedule for staking rewards. A rug pull contract gives one wallet unrestricted minting power.

3. No Liquidity Lock

When a token launches on a decentralized exchange, the developers provide initial liquidity — the pool of tokens and ETH that allows trading. If that liquidity is not locked, the developers can withdraw it at any time, making the token untradable.

This is the classic rug pull mechanic. The project hypes the token, people buy in, the price rises, and then the developers remove the liquidity. The token's price goes to zero and holders cannot sell.

Always verify that liquidity is locked through a service like Unicrypt or Team Finance. If a project claims locked liquidity but cannot provide a verifiable lock transaction, treat it with extreme suspicion.

4. Concentrated Token Holdings

When a small number of wallets hold a large percentage of the total supply, those wallets can crash the price at any time by selling. This is called a "whale dump" and it is often coordinated by the project team using multiple wallets.

Some projects try to hide concentrated holdings by splitting tokens across dozens of wallets. Blockchain analysis tools can trace these connections, but most retail investors do not check.

5. Anonymous Team With No Track Record

Anonymity is part of crypto culture, and some legitimate projects have anonymous founders. But when anonymity is combined with the other red flags on this list, it dramatically increases risk.

A team with no verifiable identity, no prior projects, no GitHub history, and no public reputation has nothing to lose by pulling the rug. There are no consequences because there is no one to hold accountable.

Look for team members with LinkedIn profiles, GitHub contributions, or a history of involvement in other crypto projects. A doxxed team is not a guarantee of legitimacy, but it raises the cost of scamming significantly.

How to Protect Yourself

No single red flag means a project is definitely a scam. But multiple red flags together should make you very cautious. The more boxes a project checks on this list, the higher the risk.

The fastest way to check a contract is to run it through an automated scanner. CryptoShield AI analyzes verified Ethereum contracts for centralization risks, dangerous permissions, and common vulnerability patterns — instantly and for free.