I Got Sick of Getting Rugged, So I Built a Rug-Pull Detection Engine in Rust
Source: Dev.to
Source: Dev.to
TL;DR
I was tired of not knowing whether a token contract was about to drain my wallet. So I built Rugrat — a real‑time EVM smart‑contract scanner that analyzes deployed bytecode for rug‑pull patterns, runs on‑chain state checks, and scores risk across eight categories. It scans a contract in ~3 µs. No verified source code required. This is the story of why I built it and what I learned about adversarial smart contracts along the way.
# The Problem No One Talks About Honestly
> Here's the thing about crypto: everyone knows rug pulls happen.
> The stats are ugly — billions lost annually. But the tooling to detect them?
> It's either:
- **Too slow** – waiting 30 seconds for a scan while the liquidity drains.
- **Too dependent on verified source** – most scam tokens never verify on Etherscan.
- **Too shallow** – checking if `owner()` returns zero and calling it a day.
- **Too opaque** – “Risk Score: 78” with no explanation of *why*.
I’ve been burned a few times. Not life‑changing money, but enough to make me angry.
The anger wasn’t at the scammers — it was at myself for not understanding what I was looking at. I could read Solidity, kind of. But when someone deploys a contract with a hidden fee function that can be cranked to 100 % after launch? That’s not in the README.
So I decided:
> **I’m going to understand this problem deeply enough to build something that catches it.**Starting From Ground Truth
Before writing a single line of code, I needed data—not vibes or Twitter threads, but labeled, verified data.
- Collected datasets of confirmed malicious contracts and known benign ones from multiple research sources.
- Covered rug‑pull types such as unauthorized minting, balance leaking, transfer limits, and several categories of honeypot traps.
- Built offline tooling to analyze these corpora—computing precision and recall for dozens of pattern detectors against the labels.
What I Found
Some patterns are almost perfectly discriminative. A tradingEnabled boolean in the transfer path that the owner controls? Never appeared in a single benign contract in our dataset. The same applies to mutable max‑transaction amounts and anti‑whale logic that can be toggled by the deployer.
The first “aha” moment: rug pulls aren’t subtle. They’re structurally distinct. The patterns are there—you just need to look at the right level.
And that level isn’t Solidity source code; it’s the bytecode.
Why Bytecode? Why Not Source Code?
- Only ~30 % of contracts on Ethereum are verified on Etherscan.
Scam tokens almost never verify. - If your scanner requires source code, you’ve already lost the battle.
Bytecode analysis covers 100 % of deployed contracts.
Every public function, every storage operation, and every control‑flow path is encoded in the bytecode—whether the deployer wants you to see it or not. You can’t add comments to make SELFDESTRUCT look friendly.
Rugrat works directly on raw deployed bytecode.
- No Etherscan API key required.
- No source code needed.
- No waiting for verification that will never come.
What Rugrat Actually Does
When you paste a contract address into Rugrat, the platform performs two main steps:
1. Static Analysis (~3 µs)
The engine scans the raw bytecode for structural patterns that are commonly associated with rug pulls.
- Function signatures – identifies risky admin functions (e.g., blacklisting, fee manipulation, minting, pause controls) even when the source code is unavailable.
- Opcode patterns – detects proxy mechanisms, kill switches, and hidden state‑manipulation logic.
- Compound rule evaluation – combines multiple signals across eight risk categories; a single feature may be benign, but certain combinations are indicative of danger.
Each contract receives a risk score together with a detailed breakdown:
- Which categories were flagged
- Which specific patterns matched
- Why those patterns matter
2. On‑Chain State Checks
Static analysis tells you what a contract can do; on‑chain checks reveal what it has actually done.
| Check | What It Looks At |
|---|---|
| Ownership | Has the owner renounced? Or does someone still hold the keys? |
| Liquidity | Does a DEX pair exist? Is there real liquidity? |
| LP Lock Status | Is the liquidity‑provider token locked? In which locker? For how long? |
| Proxy Detection | Is this an upgradeable contract that can be swapped out? |
| Honeypot Simulation | Can you actually sell the token, or will the transaction fail? |
A contract that contains a blacklist function, a non‑renounced owner, unlocked liquidity, and a failing sell simulation is a clear red flag.
The Result
You receive a full risk report:
- Overall score & risk level (Clean → Critical)
- Category‑by‑category breakdown
- Specific findings with severity ratings
- Complete on‑chain state
Everything is explained; nothing is hidden behind a magic number.
Real‑Time Surveillance: The Live Feed
The scan‑on‑demand feature is useful, but the live feed is what changes how you think.
- Rugrat monitors new contract deployments across five EVM chains – Ethereum, BSC, Base, Polygon, and Arbitrum.
- Every new contract is scanned automatically and streamed to the UI in real‑time via Server‑Sent Events, color‑coded by risk level.
Open the page, watch, and see what’s deploying right now. Watching the feed for ten minutes and seeing how many contracts launch with blacklist functions and mutable fees… it’s eye‑opening. The volume of contracts with risky patterns is much higher than most people expect.
Five Chains, One Scanner
The same detection pipeline works identically across all supported networks:
| Chain | DEX Coverage |
|---|---|
| Ethereum | Uniswap V2 |
| BSC | PancakeSwap V2 |
| Base | Uniswap V2 |
| Polygon | QuickSwap |
| Arbitrum | Camelot |
Each chain has its own DEX routing, liquidity‑locker contracts, and native‑token configuration. The analysis is identical — same rules, same bytecode patterns, same risk categories. Select your chain and scan.
The Telegram Bot
The web UI is great, but I also built a Telegram bot that lets you:
- Submit an address for an instant scan.
- Receive the full risk report directly in chat.
- Subscribe to a channel that posts every high‑risk contract as soon as it’s detected.
It’s perfect for staying informed on the go.
Bottom Line
Rugrat shows that bytecode‑level, real‑time analysis combined with on‑chain state checks can reliably flag rug‑pull contracts without needing source verification. The patterns are there; you just have to look in the right place.
Give it a try at rugrat.network and let the data do the heavy lifting.
Telegram Bot for On‑Chain Contract Surveillance
Sometimes you just want to check a contract from your phone before aping in.
So I built a Telegram bot that runs the entire detection engine – same analysis, same on‑chain checks, same risk scoring. No separate codebase, no watered‑down version.
How It Works
/start– receives a welcome message that lists all 5 supported chains.- Paste any
0x…address – inline buttons appear asking which chain the address belongs to. - Tap a chain – the bot returns a full scan report directly in the chat.
One‑Shot Command
/scan eth 0x1234…The reply includes:
- Risk score
- Category breakdown
- On‑chain state snapshot
- Explorer link
All formatted and delivered in seconds.
Runtime
- Runs 24/7 as a lightweight background service
- Binary size: ≈ 12 MB
- RAM usage: ≈ 10 MB
Why Rust?
Speed was non‑negotiable. Monitoring new contract deployments in real‑time across five chains means each scan must take essentially no time.
- Bytecode analysis: ~3 µs (≈300× under a 1 ms budget)
- Network I/O: the real bottleneck, ~200–500 ms per
eth_getCodeRPC call
Because the analysis itself is negligible, we can add more rules, more chains, and more checks without ever worrying about the scan engine’s performance.
What I Learned About Adversarial Smart Contracts
Rug pulls are not sophisticated – most use the same dozen patterns. Scammers rely on templates and tutorials; the problem isn’t detection difficulty, it’s that nobody looks at the bytecode.
Compound patterns beat individual signals – a
mintfunction alone isn’t malicious (ERC‑20 tokens need it). However, the combination ofmint+blacklist+mutable fees+owner not renouncedappears in 100 % of malicious contracts in our dataset and never in benign ones.On‑chain state is the tiebreaker – static analysis tells you what a contract could do. Ownership status, liquidity locks, and honeypot simulation tell you whether it will do it.
The real arms race hasn’t started – current rug‑pull techniques are detectable because nobody was systematically scanning bytecode. As scanners improve, attackers will evolve (metamorphic contracts, time‑delayed activation, cross‑contract splitting). Low‑hanging fruit still exists.
Speed is a feature, not a luxury – a 30‑second scan arrives at block N+3 while a rug pull can execute in block N+1. Microsecond analysis lets you scan before you decide to trade.
## What’s Next
- **Behavioral analysis** – post‑deployment transaction‑pattern monitoring
- **Cross‑contract analysis** – factory patterns, deployer reputation
- **Uniswap V3 support** – concentrated‑liquidity honeypot simulation
- **API for integrators** – let wallets and DEX front‑ends query risk scores before users swap
---Try It
Live:
- Paste any contract address.
- Pick a chain.
- See the full risk breakdown in microseconds.
Or watch the live feed to see what’s deploying right now – you might be surprised.
Rugrat – a fast little snitch for shady contracts.