Ever since the Dencun upgrade that dramatically lowered fees on Ethereum layer 2s, Coinbase’s not-very-decentralized rollup Base has surged in user numbers, transactions and total value locked.
As with the fast and cheap L1 blockchain Solana, most of the activity is being fuelled by degenerate gambling on memecoins, with hopefuls vying to make life-changing amounts of money from a small outlay.
But an investigation by Magazine has found the vast majority of memecoins on the platform have security vulnerabilities that could expose users to big losses.
And almost one in five are deliberately malicious and use a variety of tricks to steal user funds.
Magazine compiled security profiles of 1,000 new Base tokens — virtually all of them memecoins or scams — launched between March 19 to 25. This is not a comprehensive audit, as there are more than 380,000 ERC-20 tokens on Base currently; however, it is a representative sample of 1,000 tokens launched that week.
The tokens were analyzed by automated auditors on the trading analytics platform DEXTools to determine whether each project has implemented three fundamental security measures: locked liquidity, verified contracts and absence of honeypots.
For the uninitiated, that means:
Locked liquidity in decentralized finance (DeFi) is when a portion of a cryptocurrency’s trading pair is sealed by a smart contract. This directly addresses rug pull concerns.
A verified contract means that a project’s smart contract is accessible for investors to review possible risks.
A honeypot is a type of scam that lures investors with high-profit potential but prevents them from selling.
According to the analysis, 908 projects, or 90.8% of the sampled tokens, failed at least one of these security conditions.
While some security flaws may indicate potential illicit activities, they are just as likely to reflect memecoin creators’ lack of knowledge about proper security procedures, especially if they’ve launched a token as a joke or to troll the industry.
“This scenario underscores the challenges faced by projects that may not have the resources to hire security experts or conduct independent assessments of their smart contracts,” David Schwed, chief operating officer at security firm Halborn, tells Magazine. He adds that the fact many projects just copy and paste existing tokens means that flaws are replicated.
“The tendency of these projects to be forks of existing projects or generated through AI means they often inherit vulnerabilities or introduce new ones.”
17% of tokens on Base are outright crypto scams
But while inept founders bumbling their way through a launch explains the majority of issues, a disturbingly high proportion of tokens are outright scams.
According to the analysis, 16.9% of the projects are suspected of malicious intent through exaggerated sales “taxes,” or they are honeypots, a type of scam that includes conditions to prevent owners from selling tokens.
Possible honeypots were found in 121 projects. An additional 48 had sales tax as high as 100%, which is no different from outright theft.
It’s worth noting that memecoin scams can take various forms, and automated auditors can mislabel some tokens or even miss some creative schemes.
Presale rug pulls have become a rising trend on the Solana network, and they are difficult to identify because they often rely on social engineering tactics and hype. Sometimes, a token presale is conducted for a project that doesn’t even have a smart contract to be audited.
A recent study by Blockaid reportedly found that half of Solana presale tokens launched between November and February were malicious.
Read also
Most common memecoin vulnerability on Base is a potential rug pull
The most common security vulnerability among the 1,000 projects analyzed was found in their liquidity pools.
“Locked liquidity immediately prevents LP rug pulls and provides a level of confidence which I see as a basis for any project that has a desire to show themselves to be trustworthy and legitimate,” Vesper, founder of MYSTCL on Base, tells Magazine.
Of the sampled tokens, 905 projects, or 90.5%, did not lock their liquidity, which makes them prone to rug pulls.
In decentralized exchanges, a token must be paired with a more established asset like Ether or stablecoins. Investors contribute to increasing the liquidity pool’s value by exchanging these established tokens for the new memecoin.
A rug pull is a type of scam where developers withdraw all of the ETH, stablecoins or other assets from the liquidity pool and abandon the project.
A direct countermeasure against rug pull risks is when developers lock their liquidity pools. This action serves as a code-enforced guarantee that they won’t, and can’t, access the liquidity pool. Sometimes, these promises have expiration dates.
Just because a project does not have locked liquidity doesn’t automatically classify it as a rug waiting to be yanked.
According to Vesper, there could be reasonable explanations for liquidity being unlocked, such as migrating liquidity from one decentralized exchange (DEX) to another.
In such cases, projects can have additional security layers to gain trust, such as having verified contracts.
Among the 905 projects without locked liquidity, 675 of them had verified contracts.
As for the other 230 tokens without locked liquidity or verified contracts, Vesper, who is also the lead developer of the projects he founded, says there is “no legitimate reason a token would have an unverified contract.”
“DApps may protect their code for competitive reasons (with auditing being a must in this case) [but] tokens have no such valid reason to not verify their contract,” Vesper says.
Coinbase provides a fairly boilerplate response to Magazine’s questions, pointing out that Base is permissionless.
“While we do not endorse specific assets, we are supportive of builders entering the Base ecosystem, and we are continuing to focus on making on-chain technology more accessible with faster and cheaper transactions.”
Memecoins pump Base DeFi to new highs
When Magazine compiled the security profiles of the 1,000 Base projects, there were around 1,300 new tokens in the seven-day period to March 25, according to trading data provider Birdeye.
But in the week to April 2, that number exploded to 4,000.
Throughout this period, new tokens launched on Solana maintained a constant weekly estimate of 19,000.
While Base’s rise to memecoin stardom hasn’t had much of an impact on the rate of new projects on Solana, volumes on DEXs tell a different story.
In the seven days to April 2, trading volumes in Solana DEXs dropped, with the top five falling by 20% to as high as 59.5%, according to DefiLlama.
Meanwhile, four of the top five Base DEXs had positive changes in trading volume, with Uniswap leading the charge with a 147% rise to $405.09 million.
On Solana, Uniswap’s trading volume would rank second, behind Orca’s $484.17 million.
The intangibles in fungibles
The recent memecoin pump has split the industry into two conflicting camps.
One side has been critical of memecoins popularity due to their lack of utility and high scam rates.
“Security vulnerabilities in new memecoin projects … reflect a broader trend that is generally observable across the memecoin ecosystem,” Schwed says.
On the other side of the spectrum, some industry watchers cheer on the memecoin rally for onboarding new investors into the space.
Read also
“You can poo-poo these things as stupid and valueless, but if it brings attention and more engineers to the space, it’s positive value for the chain itself,” Arthur Hayes, co-founder of derivatives exchange BitMEX, told Real Vision CEO Raoul Pal in a recent interview.
Vesper says that his dev roots aligned him to the “creation of utility” but recently, he had a change of heart.
“I’ve come to realize that there are non-tangible energies that drive the crypto space as well, and that they’re just as much a part of it as blockchains and smart contracts.”
Subscribe
The most engaging reads in blockchain. Delivered once a
week.
Yohan Yun
Yohan Yun is a multimedia journalist covering blockchain since 2017. He has contributed to crypto media outlet Forkast as an editor and has covered Asian tech stories as an assistant reporter for Bloomberg BNA and Forbes. He spends his free time cooking, and experimenting with new recipes.