The safety of the DeFi and especially the FTM ecosystem is shaking as “Tomb Fork” projects seem to be the perfect place for scams to thrive. Even after some investigation, what might look like a safer project can still turn out to be a fraud.
Recently, PulseDAO got rugged. Allegedly, their own dev turned against the and KYC might not be enough to hold this person accountable.
Tomb Forks And Rug Pulls
As per Chainalysis data, in 2021 DeFi rug pulls took over $2.8 billion worth of crypto and accounted for 37% of all cryptocurrency scam revenue in the year, versus just 1% in 2020.
A risky model called Tomb Fork, often FTM-based, has become perfect for rug pulls and many investors keep falling in.
Pulse was a project that allowed users to “create their own prediction markets about anything.” They launched a token model with the promise of rewarding “all participants fairly, while also making the network resilient.”
PulseDAO was a Tomb Fork. Based on Tomb Finance, Tomb forks are algorithmic stablecoin projects that peg their token to another coin, originally FTM.
In the case of Tomb Finance, they intend to “create a mirrored, liquid asset that can be moved around and traded without restrictions.”
The PulseDAO Rug
The rug was confirmed by Rugdoc.io, who had previously warned that the project had a risk of governance mishandling and they needed their contracts to be subjected to a full audit with a reputable auditor. They highlighted the following risk vectors:
Not KYC’d with RugDoc
No reputable audits as of date
Liquidity is not locked with RugDoc
Not in a multisig. We highly recommend the project to use one with community members or reliable 3rd parties as an approver due to the said governance risk.
Then, they spotted that 4243 FTM was removed from the project by the contract owner here. It seems like they pulled out almost all of the project’s liquidity.
“It appears Tomb forks have inherent governance risks, which is why it is critical to have renounced contracts and KYC in place before entering.”
However, RugDoc missed that PulseDAO did KYC with ApeOClock, but it was not enough for safety, and this is a very important detail for investors to take into account. Is KYC enough? More on that below.
About 5 days ago, PulseDAO said via Discord they were having issues with their cross-chain bridge, but nothing more. After March 13, all accounts and websites were down or deleted.
There is not much information running around, but scraping screenshots of messages from the team, this is one of the excuses they gave:
But even Ape O’Clock, the platform they used for their KYC, was confused:
The team’s cited a person who was “poised to kill the project”, “DAOKing”. He is a YouTuber who apparently had made a deal with PulseDAO to review them in a video. This YouTuber claims they used him as a scapegoat and that he is actually one of their largest holders and got rugged as well.
He listed his wallet in a recent video and movements can be checked via FTMScan. Although he claims otherwise, some users say it is unclear if he owns other wallets. However, he seems to be actively collaborating with Ape O’Clock to investigate the pull and take action.
So far, it does appear like a dev rugged the whole project.
PulseDAO Telegram channel claims the following:
The team also said they are investigating the “attack” and fixing their website and will take responsibility.
They also claimed the reason they took their Discord channel and Twitter down was that they need “encouragement, support and optimism not FUD and disheartening comments” while they manage to restore services.
Deciding to take down all main sources of information is a very odd choice when you want to take responsibility.
Moreover, the pattern of rug pulls points out an unsustainable model: Tomb Forks.
Some are quickly spotted as hard pulls, meaning that the devs coded the token with a malicious backdoor; some are soft pulls, meaning that the project gets dumped.
Related Reading | A Race For The Truth: Fantom Vs. Rekt, What Went Down
Why KYC Didn’t Matter
Many investors check a safety box when a project has KYC, but the PulseDAO example shows its weak face.
Some of the reasons it might not do any difference are:
- Recovering crypto thefts from some countries can be difficult or even impossible.
- Authorities might not look into smaller crypto projects.
- Scammers might not even be held accountable in several countries because the rug pull falls into grey areas.
A user pondered: “How do we expect DeFi as a whole to develop and grow if the is no safeguard in place?”
Fantom (FTM) has been trading around $1.08 in the daily chart, down 5.50% in the last 24 hours. The coin has experienced fear from investors because of the departure of main developers. The foundation has claimed this will not affect their plans.
Related Reading | Why Fantom Fell 22% Following Key Personnel Exit