A new project called Lords of the Ring Finance (lor.finance) recently hard rugged most of its users, where they not only stole tokens staked in the platform, they pulled tokens directly from user wallets if a user approved their contract.
How did they do it and how can we avoid situations like this in the future?
In this article, I will share what I found by digging into this rug, and give some recommendations on how we can be more prepared against similar scams in the future.
LOR’s Strategy
It is easy to understand why LOR Finance became so successful and quickly, ultimately allowing them to steal over $185,000 in BUSD in a matter of hours at the time of this writing:
1. They entered the market July 19, 2021, when Gaming NFTs on DeFI were at an all-time high, offering a Play to Earn (P2E) project with fun NFTs, interesting game play, and nice graphics. Altogether, they hit every trendy hype button people were looking for.
2. Their website design was excellent and they created several quality NFT graphics for their Marketplace. Hopefully the website (https://lor.finance/) is still up by the time you read this article, so you can see that design and a quality UI does not have any correlation to the design or quality of the underlying project. This team either hired an excellent web developer or was skilled in graphics and web design themselves and were able to create a pleasant looking and functioning UI with multiple unique NFTs in their Marketplace.
3. They listed doxxed team members which were later discovered to be fake as all the “released” LinkedIn bios were created around the same dates in June 2021. It is critical to understand how easy it is to create “doxxed” documents and that a “doxxed” dev does not mean a safe dev. A “dox” may not be a real dox at all. It takes no more than a few minutes to create a fake LinkedIn page. Always ask for actual proof of identity documents such as through KYC with a reliable provider.
4. They listed many fake partners
The team at RugDoc tried to Google some of these lesser known partners, but we were unable to even find proof they existed at all. It seems that some of these logos were created with a basic design program and did not actually exist.
Again, don’t be fooled by a good looking website and graphics as people can write or design anything they want online. It’s up to you the user to figure out the truth by investigating it yourself even if these companies are real, as it is so easy to fake a logo or just claim a partnership that does not exist. Always ask for official announcements or statements regarding claimed partnerships!
5. Their Telegram Group (https://t.me/LOR_NFTChat) was created on July 19 2021, and boasted around 13K-ish members at the time of this writing. The groups have since been muted once people suspected something was wrong. A large group does not mean a project is secure. A good rug will employ charismatic leadership to draw people in or even throw money into promoting their project through influencers and upvotes on Reddit. A team can also always just buy bots to make a group appear popular.
6. LOR lured in users with NFTs, nice graphics, and a free loot box. LOR advertised a free loot box with NFTs inside for new users, which encouraged a contract interaction which did not ask approval to spend tokens. By creating a first “safe” contract interaction from a free giveaway, they boosted user confidence and trust in their project. It was also just great advertising! By offering new users free items and NFTs, they were encouraging people to go deeper into their game, spend more money, and sign more contracts.
How Did LOR Finance Rug?
LOR was able to rug via 2 contracts (both contracts are unverified, which means you can’t determine what is written inside):
- IDO CONTRACT
https://bscscan.com/address/0x012cb50391cbdb0bf1d9520c4b71d33b51eb2116
When interacting with the LOR IDO contract, users encountered an approval similar to the screenshot above. The contract users interacted with, asked approval to spend an almost unlimited amount of BUSD from their address. This approval is similar to that encountered on most Yield Farms (which is important to keep in mind when granting approvals to ANY new contract), however, trustworthy projects generally come with the backing of solid audit results from reputable companies and all contracts are verified for the public to see.
NEVER INTERACT WITH UNVERIFIED CONTRACTS! It is a VERY easy process to verify contracts on the Explorer and when the public is unable to read the code of a smart contract, it is generally from the project trying to hide something from the public.
Here in the IDO contract, you can see a wallet sent 50,000 BUSD to get 500,000 LOR:
https://bscscan.com/tx/0x73daa2ae0cc642aacee3acd83643bfd4c68f17e3391dbbe7c4008abd254b3774
Then 3 minutes later, a new wallet called the LOR IDO contract to drain the entirety of BUSD from the wallet which approved the LOR IDO contract
https://bscscan.com/tx/0x24698dfcc702d80c4cbc6f3c6465fae7f97a8c31bbd81a1f7bd22cf50109193b
This caller already had 100,000-ish BUSD by the time of this writing and is poised to steal more from wallets that granted approval to this unverified rug contract.
This caller address is the address which initially stole BUSD from user wallets, with the stolen BUSD subsequently being transferred out to multiple wallets. These wallets passed the stolen funds through them and off chain.
https://bscscan.com/address/0x8ec304500c10e5fffffca58be10b1c223ffc6446
2. PREMIUM LOOTBOX CONTRACT
https://bscscan.com/address/0x4ccbff21b1ba0b971c8ad5283087ab0c86d27420
As can be seen above, once a user interacts with the free Lootbox contract, they are shown a screen which offers them a Premium Chest for 10 BUSD which tempts the user with the chance to get randomized higher tier rewards. In purchasing one of these Premium Chests, the user is asked to give approval to the contract to spend an almost unlimited amount of BUSD again. Like the IDO contract, the LootBox contract is also unverified so we don’t know which specific function they called in the contract to drain BUSD from user wallets. It could be something as basic as a transfer or migrator function.
Example of the team calling the LootBox contract to drain a wallet:
https://bscscan.com/tx/0xbb198a24f62cbf76762dd8dc28a5c00d677d7926d969f48f3853ad66a2f7c130
The wallet where this contract drained funds into:
https://bscscan.com/address/0x041FBd6b1442DA0B8199bBbC33587443e2CEB162#tokentxns
By the time of writing, this contract has successfully drained around 185K-ish USD
How Can We Avoid Scams Like This?
I’m just another anon degen out in the Wild West of DeFi, but here are some general guidelines I follow to avoid scams:
- NEVER TRUST A PROJECT BASED ON A BEAUTIFUL WEBSITE, GRAPHICS, STICKERS, ETC.
Anyone can hire a good graphics team to create a nice looking trap, and more professional, organized scam teams employ talented web developers who are able to create a pleasant interface to lure victims in. Just because a project looks like it took some effort and skill to create does NOT mean it is trustworthy!
- IF YOU WANT TO GET IN A NEW PROJECT, CREATE A NEW BURNER WALLET AND SEE THE CONTRACTS YOU’RE GONNA INTERACT WITH. ALWAYS START BY DEPOSITING A SMALL AMOUNT OR SET THE PERMISSIONS TO ONLY SPEND THE THE AMOUNT YOU WANT TO.
I always stake a small amount of LP to make sure deposits are good and to verify the contract I am interacting with. You can check out this article on how to check your contract interactions (https://wiki.rugdoc.io/docs/how-to-check-your-contract-interactions/) and I recommend always double checking to make sure you are interacting with the contract you want to interact with and the contract is verified.
- NEVER INTERACT WITH UNVERIFIED CONTRACTS
If you see something like the above image when you search on the contract, GTFO. An unverified contract means ANYTHING can be inside and NO ONE knows exactly what is inside! Since it is so easy to verify contracts on most Explorers, the only reason a project will keep their contracts unverified is to prevent the public from knowing what their contract encodes…which is usually the sign of a scam waiting to happen.
4. ALWAYS READ THE AUDIT REPORT
Audits are just reports of findings within the code and most audits only check for code functionality- they are not an assurance of user security. However, most audits will point out, even if the language is vague, what functions a contract contains and what permissions the team may have. Read the report thoroughly and understand the risks you’re taking.
5. ALWAYS CHECK WHAT YOU ARE GIVING APPROVAL TO
Not everything is as bleak as it looks like, and these contracts, no matter how malicious they are, can only drain tokens a user has approved. This is why it is SO important to always check what approvals you are agreeing to when you sign a contract.
6. ALWAYS REVOKE APPROVALS FOR CONTRACTS YOU ARE NO LONGER USING
Revoke approvals often and regularly! A rug contract can drain tokens directly from your wallet weeks or months after a rug has happened and you have long forgotten about them! Of course revoking may not be necessary if your contract approvals are only for large, established projects like PancakeSwap or SushiSwap, but I always revoke approvals when I leave newer projects, just as an added extra layer of security. Check out this article on how to revoke approvals: https://wiki.rugdoc.io/docs/how-to-revoke-permissions/
Okay, that’s it from me! I hope this article helped you understand how LOR rugged and what lessons we can all learn from it to stay safer in these crazy degen farms! Make sure to stay connected with our Telegram group to stay on top of the latest DeFi news.
