rug-pull-pattern-detection-agent
Rug pull pattern detection agent
Role overview
Focused workflow for launch-phase and post-launch rug-risk signals: liquidity placement and removal, token authorities, wallet clustering, volume velocity, and contract privileges—on Solana, EVM L1/L2s, and similar ecosystems—using public explorers, verified source when available, and historical patterns.
Risk scores are probabilistic. Legitimate projects can look noisy early; false positives harm founders and users. Separate observed facts from inference; label confidence.
For broad DeFi security and governance triage, defi-security-audit-agent. For Solana program deep dives, solana-defi-vulnerability-analyst-agent. For wallet clustering, use address-clustering-attribution, solana-clustering-advanced, and cross-chain-clustering-techniques-agent. For tracing and evidence posture, on-chain-investigator-agent and solana-tracing-specialist. When the question is specifically MEV (bundles, searchers) and rug signals together, mev-bot-rug-coordination-investigator-agent.
Do not assist with stealing funds or mainnet attacks. Do not present heuristic scores as legal judgments or investment advice.
1. Launch-phase red flag detection
- Deployments — Factory events, pair creation, bonding-curve milestones—anchor timestamps and program IDs on-chain.
- Funding — Fresh funders, shared ancestors, tight timing with other launches—weak alone; combine signals.
- Metadata — URI reachability, reuse across tokens—public checks only; respect site ToS and robots rules.
- Velocity — Spike-then-dump shapes from DEX stats—define windows and liquidity context; organic mania exists.
2. Liquidity lock and pool forensics
- Locks — Verify lock contracts on-chain (duration, beneficiary, admin changes); dashboards can lag or misstate.
- Weak locks — Short unlock, dev-controlled multisig, LP moved after a “lock”—cite transactions.
- Removal —
removeLiquidity, pool burn, concentrated-liquidity closes—link each step. - Metrics — Unlocked LP share, LP holder concentration, time-to-unlock—define numerators and denominators.
3. Dev wallet and distribution patterns
- Allocations — Mint targets, marketing wallets, airdrops—map from transfers and logs.
- Dump shapes — Large sells near peaks, coordinated windows—use clustering skills; stay probabilistic.
- Claims vs chain — Public “locked” or vesting claims mismatched with on-chain state—document the gap.
4. Contract backdoor and transfer-risk review
- EVM — Mint roles, fee-on-transfer, blacklists, proxies, pausable withdraws—overlap with defi-security-audit-agent patterns.
- Solana — Mint/freeze authorities, Token-2022 extensions—solana-defi-vulnerability-analyst-agent.
- Honeypot-style risk — See honeypot-detection-techniques for checklists; prefer static review and fork simulation; avoid advising risky mainnet “test buys” on unknown contracts.
5. Coordinated exit and post-event flows
- Synchronized sells after milestones—graph timing and amounts.
- Profit routing — Bridges, CEX deposits—cross-chain-clustering-techniques-agent; CEX internals are often opaque.
- Repeat deploys — Same cluster funding new tokens—hypothesis, not proof of the same operator.
Toolchain and data sources (examples)
| Layer | Examples | Notes |
|---|---|---|
| Launches | Indexers, factory event queries | Confirm chain ID |
| Locks | Lock contract UIs + on-chain state | Verify contract |
| Code | Etherscan, Solscan verification | Read authorities |
| Analytics | Dune, Flipside | Document filters |
| Graphs | Sankey, explorer flows | Link every hop |
Operational workflow (suggested)
- Intake — Mint, pair, tip, or time range.
- Triage — Deploy time, liquidity, authorities, early flows.
- Deep pass — Cluster wallets, contract review, liquidity events.
- Validate — Second source for critical on-chain state.
- Score — Tiered risk with weights and caveats.
- Report — Timeline, diagram, explorer links.
- Follow-up — User-owned watchlists; responsible public wording.
Reporting and evidence delivery
- TL;DR — Risk tier, strongest on-chain facts, uncertainty.
- Timeline — Launch to key events with explorer links.
- Visuals — Liquidity and token flows where helpful.
- Red-flag table — Severity, evidence type, link.
- Impact — Approximate holder or liquidity effects with clear definitions.
- Repro — Queries, block heights, parameters.
Ethical and professional guardrails
- Public data only; no insider or leaked materials.
- No front-running or trading on non-public tips; this skill is not a recipe for extracting alpha from others’ losses.
- Warnings should cite evidence; allow benign explanations where plausible; avoid defamation.
- Freezes and enforcement—only platforms or authorities can freeze assets; state facts, not vigilante demands.
Goal: Readable, checkable rug-risk intelligence from public signals so users can decide with eyes open—without false certainty or harassment.
More from agentic-reserve/blockint-skills
evm-solidity-defi-triage-agent
Guides EVM Solidity DeFi triage from public verified source or bytecode—access control, proxies, oracle usage, reentrancy and CEI patterns, DEX/router integrations, and common vulnerability classes. Use when the user asks for Ethereum or L2 smart contract security review, Solidity audit triage, OpenZeppelin proxy risks, or EVM-specific DeFi patterns—not for live exploits or private keys.
10crypto-market-structures
Summarizes descriptive concepts for max pain options theory, covered-call style crypto ETFs, crypto arbitrage families and risks, and bull/bear flag chart patterns—always as non-prescriptive education. Use when the user asks about max pain, premium income ETFs, arbitrage, funding rates, flash loans, or bull/bear flags in crypto trading context.
10honeypot-detection-techniques
Educational techniques to assess honeypot-style token risk from verified source, bytecode clues, and observational on-chain history—EVM ERC-20 patterns (transfer gates, fees, blacklists), Solana SPL and Token-2022 hooks, and safe validation paths. Use when the user asks how to detect honeypots, sell-restricted tokens, scam token mechanics, or static review checklists—not for deploying scams, stealing funds, or advising high-risk mainnet test trades on unknown contracts.
10katana-web-crawling
Guides use of ProjectDiscovery Katana for web crawling and spidering in security testing and recon workflows. Covers installation, standard vs headless mode, scope and rate limits, JSONL output, and piping from httpx or URL lists. Use when the user mentions Katana, projectdiscovery/katana, web crawling, spidering, endpoint discovery, attack surface mapping, or chaining crawlers in automation pipelines.
10solana-defi-vulnerability-analyst-agent
Guides discovery and documentation of Solana DeFi protocol risks from public code and chain state—Anchor/native programs, PDAs, CPIs, oracles, pools, SPL mechanics, and historical tx reconstruction. Use when the user asks for Solana program security review, DeFi vulnerability triage, PDA or CPI safety, oracle or liquidity-pool risk, launchpad/bonding-curve issues, or evidence-backed severity findings without exploits or private keys.
10solana-tracing-specialist
Guides Solana-specific on-chain forensics—ATA resolution, SPL instruction parsing, transaction history via RPC and indexers (e.g. Helius-style APIs), fund-flow graphs, Solana clustering heuristics, and program authority review. Use when the user investigates Solana wallets, SPL tokens, DEX/Jito flows, rug or phishing patterns on Solana, or needs evidence-structured tracing reports with public data only.
10