The combined factors of anonymity, 6+ figures of cash and transaction finality provide unprecedented incentives for scammers of all sorts to run away with your money. There's therefore no surprise that every week we witness new massive rug pulls.
This website is an attempt to uncover the different centralization and permission threats that exist in different Web3 projects. Armed with knowledge, investors and speculators can choose where to pour their funds fully understanding the risks involved.
Each project will be described using several metrics:
- Anonymity - are key project members anonymous?
- Contract upgradeability - How easily can the project "change the rules" by upgrading proxy contracts
- Asset risk - are special addresses permitted to handle user's assets?
- Multisig - Is the owner address a multisig smart wallet? Only applicable to dangerous operations
- Timelock - Is there a lock time period before any dangerous protocol operation?
- Additional - Threats not handled by the above metrics go here. For example, for stablecoins, is the backing strategy adequate? What are possible pitfalls?
Users are 100% responsible for any use of the information contained on this website. We do not guarantee any of the provided information is correct, up-to-date, or reliable. DYOR.
Any contribution to the Ruggability database is more than welcome. Please open an ISSUE or a PULL REQUEST here and we'll make sure to include it and add your name to the contributors list.
| Anonymous | No | 
| Contract upgradeability | No | 
| Asset risk | No | 
| Multisig | N/A | 
| Timelock | N/A | 
| Additional | Owner can pause marketplace | 
| Anonymous | Yes | 
| Contract upgradeability | Yes. Can attach new addresses to the Holograph entry point | 
| Asset risk | Owner can forge any bridging in message from another chain, by changing the registered Layer Zero approved sender. | 
| Multisig | No | 
| Timelock | No | 
| Additional | 
| Anonymous | No | 
| Contract upgradeability | Yes. Can attach new addresses to the Holograph entry point | 
| Asset risk | Governor can approve bridge tokens held in escrow to any address. | 
| Multisig | On chain governance | 
| Timelock | - | 
| Additional | 
| Anonymous | Yes | 
| Contract upgradeability | Unitroller (key logic contract) and vaults can be upgraded | 
| Asset risk | Vaults can be upgraded with multisig, no timelock | 
| Multisig | Yes | 
| Timelock | 2 Days. No timelock for emptying reserve | 
| Additional | 
| Anonymous | Yes | 
| Contract upgradeability | Yes | 
| Asset risk | Yes | 
| Multisig | No | 
| Timelock | 7 days for upgrades by ProxyAdmin | 
| Additional | Normal admin can add new project token, fake high value using rogue oracle, use it as collateral to steal entire vault. |