View PDF HTML (experimental)

Abstract:Existing rug pull detectors assume a simple workflow: the deployer keeps liquidity pool (LP) tokens and performs one or a few large sells (within a day) that collapse the pool and cash out. In practice, however, many real-world exits violate these assumptions by splitting the attack across both time and actor dimensions: attackers break total extraction into many low-impact trades and route proceeds through multiple non-owner addresses, producing low-visibility drains. We formalize this family of attacks as the fragmented rug pull (FRP) and offer a compact recipe for a slow-stewed beef special: (i) keep the lid on (to preserve LP control so on-chain extraction remains feasible), (ii) chop thin slices (to split the total exit volume into many low-impact micro-trades that individually fall below impact thresholds), and (iii) pass the ladle (to delegate sells across multiple wallets so that each participant takes a small share of the extraction). Technically, we define three atomic predicate groups and show that their orthogonal combinations yield evasive strategies overlooked by prior heuristics (USENIX Sec 19, USENIX Sec 23). We validate the model with large-scale measurements. Our corpus contains 303,614 LPs, among which 105,434 are labeled as FRP pools. The labeled subset includes 34,192,767 pool-related transactions and 401,838 inflated-seller wallets, involving 1,501,408 unique interacting addresses. Notably, owner-wallet participation in inflated selling among FRP-flagged LPs has declined substantially (33.1% of cases), indicating a shift in scam behavior: the liquidity drain is no longer held on the owner wallet. We also detected 127,252 wallets acting as serial scammers when repeatedly engaging in inflated selling across multiple FRP LPs. Our empirical findings demonstrate that the evasive strategies we define are widespread and operationally significant.

Submission history

From: Minh Trung Tran [view email] [v1] Wed, 19 Nov 2025 14:22:07 UTC (729 KB)