software

I Got Sick of Getting Rugged, So I Built a Rug-Pull Detection Engine in Rust

Published: (March 9, 2026 at 11:37 AM EDT)
8 min read
Source: Dev.to

Source: Dev.to

TL;DR: I was tired of not knowing whether a token contract was about to drain my wallet. So I built Rugrat — a real‑time EVM smart‑contract scanner that analyzes deployed bytecode for rug‑pull patterns, runs on‑chain state checks, and scores risk across eight categories. It scans a contract in ~3 µs. No verified source code required. This is the story of why I built it and what I learned about adversarial smart contracts along the way.

The Problem No One Talks About Honestly

Here’s the thing about crypto: everyone knows rug pulls happen. The stats are ugly — billions lost annually. But the tooling to detect them? It’s either:

  • Too slow – waiting 30 seconds for a scan while the liquidity drains.
  • Too dependent on verified source – most scam tokens never verify on Etherscan.
  • Too shallow – checking if owner() returns zero and calling it a day.
  • Too opaque – “Risk Score: 78” with no explanation of why.

I’d been burned a few times. Not life‑changing money, but enough to make me angry. And the anger wasn’t at the scammers — it was at myself for not understanding what I was looking at. I could read Solidity, kind of. But when someone deploys a contract with a hidden fee function that can be cranked to 100 % after launch? That’s not in the README.

So I decided: I’m going to understand this problem deeply enough to build something that catches it.

Starting From Ground Truth

Before writing a single line of code, I needed data. Not vibes, not Twitter threads — labeled, verified data.

  • Collected datasets of confirmed malicious contracts and known benign ones from multiple research sources.
  • Covered rug‑pull types such as unauthorized minting, balance leaking, transfer limits, and several categories of honeypot traps.
  • Built offline tooling to analyze these corpora — computing precision and recall for dozens of pattern detectors against the labels.

What I Found

Some patterns are almost perfectly discriminative. A tradingEnabled boolean in the transfer path that the owner controls? Never appeared in a single benign contract in our dataset. Same for mutable max‑transaction amounts and anti‑whale logic that can be toggled by the deployer.

The first “aha” moment: rug pulls aren’t subtle. They’re structurally distinct. The patterns are there — you just need to look at the right level.

And that level isn’t Solidity source code. It’s the bytecode.

Why Bytecode? Why Not Source Code?

  • Only ~30 % of contracts on Ethereum are verified on Etherscan. Scam tokens almost never verify.
  • If your scanner requires source code, you’ve already lost the battle.

Bytecode analysis covers 100 % of deployed contracts. Every public function, every storage operation, every control‑flow path is encoded in the bytecode whether the deployer wants you to see it or not. You can’t add comments to make SELFDESTRUCT look friendly.

Rugrat works directly on raw deployed bytecode. No Etherscan API key. No source code. No waiting for verification that will never come.

What Rugrat Actually Does

When you paste a contract address into Rugrat, here’s what happens:

1. Static Analysis (~3 µs)

The engine examines the raw bytecode for structural patterns associated with rug pulls:

  • Function signatures – identifying risky admin functions (blacklisting, fee manipulation, minting, pause controls) even without source.
  • Opcode patterns – detecting proxy mechanisms, kill switches, and hidden state manipulation.
  • Compound rule evaluation – combining multiple signals across eight risk categories, because individual features can be benign but certain combinations are not.

Each contract gets a risk score with a full breakdown: which categories flagged, which specific patterns matched, and why they matter.

2. On‑Chain State Checks

Static analysis tells you what a contract can do. On‑chain checks tell you what it has done:

CheckWhat It Looks At
OwnershipHas the owner renounced? Or is someone still holding the keys?
LiquidityDoes a DEX pair exist? Is there real liquidity?
LP Lock StatusIs the liquidity‑provider token locked? In which locker? For how long?
Proxy DetectionIs this an upgradeable contract that can be swapped out?
Honeypot SimulationCan you actually sell this token, or will the transaction fail?

A contract with a blacklist function, a non‑renounced owner, unlocked liquidity, and a failing sell simulation? That’s not ambiguous.

The Result

You receive a full risk report:

  • Overall score & risk level (Clean → Critical)
  • Category‑by‑category breakdown
  • Specific findings with severity ratings
  • Complete on‑chain state

Everything is explained; nothing is hidden behind a magic number.

Real‑Time Surveillance: The Live Feed

The scan‑on‑demand feature is useful, but the live feed is what changes how you think.

  • Rugrat monitors new contract deployments across five EVM chains – Ethereum, BSC, Base, Polygon, and Arbitrum.
  • Every new contract is scanned automatically and streamed to the UI in real‑time via Server‑Sent Events, color‑coded by risk level.

Open the page, watch, and see what’s deploying right now. Watching the feed for ten minutes and seeing how many contracts launch with blacklist functions and mutable fees… it’s eye‑opening. The volume of contracts with risky patterns is much higher than most people expect.

Five Chains, One Scanner

The same detection pipeline works identically across all supported networks:

ChainDEX Coverage
EthereumUniswap V2
BSCPancakeSwap V2
BaseUniswap V2
PolygonQuickSwap
ArbitrumCamelot

Each chain has its own DEX routing, liquidity‑locker contracts, and native‑token configuration. The analysis is identical — same rules, same bytecode patterns, same risk categories. Select your chain and scan.

The Telegram Bot

The web UI is great, but I also built a Telegram bot that lets you:

  • Submit an address for an instant scan.
  • Receive the full risk report directly in chat.
  • Subscribe to a channel that posts every high‑risk contract as soon as it’s detected.

It’s perfect for staying informed on the go.

Bottom Line

Rugrat shows that bytecode‑level, real‑time analysis combined with on‑chain state checks can reliably flag rug‑pull contracts without needing source verification. The patterns are there; you just have to look in the right place.

Give it a try at rugrat.network and let the data do the heavy lifting.

Telegram Bot for On‑Chain Contract Surveillance

Sometimes you just want to check a contract from your phone before aping in.
So I built a Telegram bot that runs the entire detection engine – same analysis, same on‑chain checks, same risk scoring. No separate codebase, no watered‑down version.

The Flow

  1. /start – receive a welcome message listing all 5 supported chains.
  2. Paste any 0x… address – inline buttons ask which chain the address belongs to.
  3. Tap a chain – the bot returns a full scan report right in the chat.

Or use a one‑shot command:

/scan eth 0x1234…

The reply includes:

  • Risk score
  • Category breakdown
  • On‑chain state snapshot
  • Explorer link

All formatted and delivered in seconds.

The bot runs 24/7 as a lightweight background service (≈12 MB binary, ~10 MB RAM).

Why Rust?

Speed was non‑negotiable. Monitoring new contract deployments in real‑time across five chains means each scan must take essentially no time.

  • Bytecode analysis: ~3 µs (≈300× under a 1 ms budget)
  • Network I/O: the real bottleneck, ~200–500 ms per eth_getCode RPC call

Because the analysis itself is negligible, we can add more rules, more chains, and more checks without ever worrying about the scan engine’s performance.

What I Learned About Adversarial Smart Contracts

  1. Rug pulls are not sophisticated – most use the same dozen patterns. Scammers rely on templates and tutorials; the problem isn’t detection difficulty, it’s that nobody looks at the bytecode.

  2. Compound patterns beat individual signals – a mint function alone isn’t malicious (ERC‑20 tokens need it). But mint + blacklist + mutable fees + owner not renounced appears in 100 % of malicious contracts in our dataset and never in benign ones.

  3. On‑chain state is the tiebreaker – static analysis tells you what a contract could do. Ownership status, liquidity locks, and honeypot simulation tell you whether it will do it.

  4. The real arms race hasn’t started – current rug‑pull techniques are detectable because nobody was systematically scanning bytecode. As scanners improve, attackers will evolve (metamorphic contracts, time‑delayed activation, cross‑contract splitting). Low‑hanging fruit still exists.

  5. Speed is a feature, not a luxury – a 30‑second scan arrives at block N+3 while a rug pull can execute in block N+1. Microsecond analysis lets you scan before you decide to trade.

What’s Next

  • Behavioral analysis – post‑deployment transaction‑pattern monitoring
  • Cross‑contract analysis – factory patterns, deployer reputation
  • Uniswap V3 support – concentrated‑liquidity honeypot simulation
  • API for integrators – let wallets and DEX front‑ends query risk scores before users swap

Try It

Live:

  1. Paste any contract address.
  2. Pick a chain.
  3. See the full risk breakdown in microseconds.

Or watch the live feed to see what’s deploying right now – you might be surprised.

Rugrat – a fast little snitch for shady contracts.

0 views
#software #programming #community
View source
Share:
Back to Blog

Related posts

Read more »