Skip to main content
← Back to blog
SECURITY Anatomy of a Solana Memecoin Rug Pull MoonHydra · moonhydra.com/blog
Security Rug Pulls On-Chain Deep Dive

Anatomy of a Solana Memecoin Rug Pull

· 10 min read · MoonHydra Research

A Solana rug pull is not a random event. By the time the liquidity vanishes and the Telegram group goes silent, the deployer has left a public trail across at least five separate on-chain artifacts — bundle wallets, mint authority flags, LP token custody, drain-wallet routing, and engagement asymmetry on social. Every one of those is visible on Solscan or Birdeye for free, before you buy. This guide walks through how to spot a rug pull on Solana by reading that trail yourself, with illustrative mint addresses you can pattern-match against the next ticker that lands in your DMs.

The five signatures of a Solana memecoin scam on-chain

Rug pulls rhyme. The teams run the same playbook across hundreds of tokens with minor variations on a script that has been profitable since 2022. None of the signals below is a single "no buy" on its own, but three or more on the same contract make the expected value of clicking buy deeply negative.

  • Pre-launch bundle. A cluster of related wallets buys concentrated supply in the first one to ten blocks after mint, often funded from a single source wallet minutes earlier.
  • Mint authority not revoked. The deployer can still mint new supply at will, which means every chart is a fiction until they choose otherwise.
  • LP unlocked or in the deployer's hand. The liquidity-pool tokens on Raydium or Orca are either held directly by the deployer or sitting in an unlocked-and-burn-able state, so pulling the LP is a single signed transaction away.
  • Drain wallet funnel. Proceeds from the rug flow through a fresh intermediate wallet, then split into Binance, Kraken, or a privacy-mixer entry point on a predictable cadence.
  • Social signal mismatch. Twitter and Telegram engagement looks busy but the engagement-to-follower ratio is either far too low (dormant bot-farm) or far too high (paid engagement on a 200-real-user account).

The rest of this post walks each one in detail, with the exact Solscan tabs and Birdeye columns where you can verify them in under sixty seconds. The example addresses below (5xyz...QGme, HRug...P8nQ, etc.) are illustrative — pattern templates, not specific historical rugs.

Signal 1 — The pre-launch bundle

Open the token in Birdeye, switch to the Holders tab, and sort by the First Buy Block column. A healthy organic launch shows a mix of pump.fun snipers, copy-trade bots, and small organic buys in the first ten. A bundled launch looks statistically anomalous: seven or eight of the first ten transact in the same block, bag sizes within 5–15% of each other, and a manual trace upstream shows they were all funded from the same wallet 60 to 600 seconds before launch.

The mechanical check on Solscan: pick three of the top early holders, click into each wallet, sort incoming SOL transfers by timestamp. If they all received roughly equal amounts from the same source in a tight window before launch, that source is the deployer's funding wallet and you are looking at a bundle. Bundles aren't always evidence of intent to rug — plenty of legitimate launches pre-seed through team wallets. But a bundle holding 30–60% of supply at minute one and dumping progressively across the first hour is the canonical exit-liquidity pattern. The deployer's downside is your bag.

Signal 2 — Mint authority not revoked

Every SPL token has two authorities encoded in the mint account: the mintAuthority (can issue new supply) and the freezeAuthority (can freeze any holder's tokens permanently). On a token that intends to behave like a fixed-supply asset, both should be set to null shortly after launch. On Solscan, open the mint address, scroll to the Token Authorities panel, and check both fields.

If mintAuthority is still a live address, the deployer can mint an arbitrary amount of new tokens at any time. Every chart you see, every market cap, every "X just hit $50M" number is a fiction until they choose to dilute. The classic dilution rug is invisible until the moment it lands — the deployer mints 10x supply into a wallet they pre-funded, dumps into the existing LP, walks away with the SOL, and the chart prints a 99% candle.

freezeAuthority is the more vicious cousin. If left live, the deployer can freeze your specific wallet's holdings indefinitely — you cannot sell, you cannot transfer, the tokens are on-chain but inert. This is sometimes used to extort buyers ( "unfreeze fee" scams) or to selectively freeze whales before a coordinated dump. The honest tokens revoke both. Verify, don't trust the white paper.

Signal 3 — LP unlocked or held by the deployer

On Raydium or Orca, providing liquidity mints an LP token to the provider. Whoever holds the LP tokens can withdraw the underlying SOL and tokens by burning the LP. A legitimate launch either burns the LP tokens (irreversible, the liquidity is locked forever) or sends them to a verifiable timelock contract (e.g. PinkLock, Streamflow, Team Finance — visible as a recognizable program owner). A rug-prepped launch leaves the LP token in the deployer's wallet or in a wallet one or two hops away.

The check: find the Raydium pool for the token, identify the LP mint address (it's listed in the pool metadata), then look up that LP mint's top holders on Solscan. If the holder is 11111... 11111 (the burn address) or a known locker program, the LP is locked. If the holder is an EOA — any normal wallet address — the LP is rug-able. Single-signature distance from the deployer to a full liquidity withdraw is the canonical Solana rug.

Watch for the half-measure too: deployers who lock 80% of the LP and quietly hold 20% as "marketing reserve". A 20% LP withdrawal is still enough to crater a thinly-traded memecoin, and the locked portion is theater for the audit tab.

Signal 4 — The drain-wallet funnel

This signal is only visible post-rug, but it matters because the same deployer comes back two weeks later with a new ticker and the same funnel architecture. Fingerprint the funnel, refuse to buy from that operator again. The rug execution wallet doesn't hold proceeds for long. Within minutes to hours, SOL routes through a fresh intermediate wallet — no prior history, no on-chain reputation — and splits into one of three standard exits:

  • Centralized exchange deposit addresses. Binance, Kraken, OKX, Bybit, Bitget. Identifiable by the deposit-address pattern these exchanges use, and by the destination wallet activity (high-volume in, zero on-chain economic activity).
  • Mixers and privacy hops. Tornado Cash equivalents and cross-chain bridges that obscure the trail. A bridge to Ethereum followed by a privacy-pool deposit is the contemporary laundry route.
  • Re-funding the next deployer wallet. The cheapest tell. Proceeds from rug N show up two weeks later as seed capital for rug N+1's bundle.

Tools like Arkham, Nansen, and Solscan's wallet labels do most of this graph traversal for you if you're paying for them. For free, open the proceeds wallet on Solscan, click SOL Transfers, and follow the largest outgoing transaction. Two hops is usually enough to land on a labeled exchange deposit or a recognizable bridge contract.

Signal 5 — Social signal mismatch

On-chain checks are the load-bearing ones. Social checks are the cheap sanity layer on top. The pattern to look for is asymmetry between follower counts and real engagement.

  • Twitter 40k followers, typical post engagement 20–30 likes. Bot-padded count or paid engagement on a small real audience. Both correlate with rugs.
  • Telegram 15k members but the chat cycles through the same 20 usernames. Members bought, vocal users paid, actual community is the 20 regulars.
  • Account age vs. token age. Twitter account created the same week as the token, confidently posting "next 100x" — single-purpose account. Real teams have shipping history.
  • Amplification pattern. Retweets only from accounts that retweet every launch is paid amplification, not organic discovery.

None of these is a hard veto — some real projects have small Twitter footprints. But combined with two of the on-chain signals above, social asymmetry is the tiebreaker.

A worked example — anatomy of a typical rug

Imagine a token launches at mint 5xyz...QGme. The pattern below is a composite of dozens of real post-mortems — every individual element below is something we've seen in production rugs.

  • Minute -2: Wallet HRug...P8nQ funds eight fresh wallets with 1.4 SOL each within a 45-second window. No prior history. This is the bundle.
  • Minute 0: Mint 5xyz...QGme deploys on pump.fun. The eight bundle wallets buy in for ~1.3 SOL each in the first two blocks, picking up ~35% of supply. Mint and freeze authority are both still live.
  • Minute 0–8: Organic buyers arrive. The bundle sells into every green candle, never more than 8% of the LP at a time, never tripping anti-bundle bots. Birdeye shows a healthy 4x.
  • Minute 14: Token graduates from pump.fun to a Raydium pool. The LP mint is held by HRug...P8nQ — the same wallet that funded the bundle. Not burned, not locked.
  • Minute 22: HRug...P8nQ withdraws the full LP. Chart goes vertical-down. ~94 SOL flow to a fresh wallet DraN...K2vF in the same block, then deposit to a labeled Binance hot address within the hour.
  • Two weeks later: A new mint launches. The funding wallet for the new bundle is HRug...P8nQ again, seeded by a different fresh wallet six hours before launch. Same operator, new ticker.

Every step was visible on Solscan in real time if you knew what to look for. The five signals above are the lookup keys.

How MoonHydra's RugCheck gate handles this

We built a RugCheck gate into the auto-trade pipeline because every signal above is mechanically detectable, and we'd rather refuse a trade than enter a position into a token that fails on three or more of them. The gate runs before every buy initiated by auto-snipe, copy-trade, or DCA — the user can override on a manual buy, but we surface the failed checks first.

  • Mint authority + freeze authority status read directly from the mint account. Both must be revoked or the token is flagged.
  • LP custody check against known locker programs. LP held by an EOA fails the gate.
  • Top-10 holder concentration with a heuristic for fan-out from a common funder wallet, which catches the bundle pattern.
  • Mint age — sub-minute-old mints are surfaced with an explicit warning rather than silently allowed.

Read the full mechanic on /features/auto-trading or the underlying threat model on /security. The gate is opinionated — it will say no to tokens that would have rugged you, which sometimes means saying no to a token that didn't end up rugging. We think that asymmetry is the right default for an automated trade.

Separately, the multi-wallet architecture on /features/multi-wallet matters because compartmentalization is the only mitigation for the rugs the gate misses. A degen wallet that holds 2 SOL of rotation capital can eat a full rug and you keep trading. A single wallet with your full bankroll cannot.

What to do if you got rug-pulled

The honest answer first: in most cases the money is gone. Solana transactions are final, the operator is pseudonymous, and law enforcement has neither the bandwidth nor the jurisdictional path to chase a 12 SOL rug into a foreign exchange. The exception is when the operator over-reaches — domestic CEX deposits without KYC, a doxxed team member — and even then recovery is months to years. The realistic post-rug workflow:

  1. Snapshot everything. Save the mint address, LP mint, the deployer wallet, the funding wallets, the timestamp, and the Solscan links. You're building a fingerprint to never buy from this operator again, not an evidence package for a lawsuit.
  2. Report to CEX deposit addresses if applicable. If the funnel hit a Binance or Kraken deposit, file an abuse report with the on-chain trail. They almost never freeze for sub-$100k rugs, but the pattern data is what eventually pins repeat operators.
  3. Write it off mentally and tax-wise. In most jurisdictions a rugged token is a realized loss for tax purposes once the LP is verifiably gone. Talk to your accountant.
  4. Audit your own process. Which of the five signals were visible before you bought? Was it three? Was it five? The expensive education is wasted if you don't update the checklist.
  5. Block-list the deployer wallet. Add it to your personal "never buy" list and any bot allow-list features you use. Operators recycle wallets more than you'd expect.

For the broader pre-trade workflow that prevents most of this from happening in the first place, the due-diligence checklist walks through the same signals in actionable order, and the bot security checklist covers the wallet-hygiene side. If you're still evaluating which bot to fund, the non-custodial vs custodial breakdown matters here too — a custodial bot's pooled hot wallet is, in a meaningful sense, a structural rug risk on top of every individual token rug.

Closing

Rug pulls on Solana are predictable in a way that should be unsettling. Same five signals, same drain-wallet patterns, same operators recycling wallets. All of it is on a public ledger. The skill of reading that ledger is the difference between traders who think rugs are bad luck and traders who treat them as a market structure they refuse to participate in. Pick the second framing and the next twelve months get significantly cheaper.


Ready to put this into practice?

MoonHydra is a multi-wallet Solana memecoin trading bot on Telegram. 1% per trade. AES-256-GCM encrypted. Non-custodial.

Open MoonHydra