A CertiK security analysis has uncovered more than 50 DeFi and NFT projects with critical vulnerabilities. We feel obligated to share these insights with our community.
All of these contracts share three code-based features that enable the developers to rugpull.
- Infinite Supply
By calling the function rewardHolders(uint256 amount) external onlyOwner, the address that created the contract has the power to give itself an unlimited number of tokens on top of the already circulating supply. This means that the owner can mint as many tokens as they like and then sell them all on the open market, making a profit at the expense of everyone else holding the token.
2. Blacklisting
The contract owner has the power to whitelist or blacklist all addresses. Using the function includeInReward(address account) external onlyMaster, the owner can set an address — or multiple addresses — that is allowed to transfer tokens. If _marketersAndDevs[sender] and _marketersAndDevs[recipient] are both false, the transfer will not succeed.
3. Limited Selling
Selling is restricted using the canTransfer function. This means that tokenholders are unable to sell their tokens on PancakeSwap or other DEXs where the asset is purportedly traded.
Additionally, none of these 50 projects have more than 36 different sellers. The majority have only a single-digit number of wallets who have “sold” tokens.
Wallets that hold a large proportion of the supply is also a concern. Controlling a double-digit percentage of all tokens means that the price can be easily manipulated by that holder — usually to the downside.
You can find the full list of projects with these code vulnerabilities along with the number of unique sellers and largest wallets below.
