Insider rug

Insider rug is a variant of rug-pull where the attacker is the protocol’s own author, a team insider, or the multisig signer. It can look like a “hack” from outside, but technically it’s legitimate admin calls.

Markers of an insider scenario

• The drain transaction routes through admin functions without a timelock (UPGRADE_CODE, WIPE_VALIDATORS, MIGRATE_FUNDS).
• The attacker wallet has a history of legitimate operations with the protocol over months/years before the attack.
• The funding source for the attacker’s wallet is a KYC-free CEX (FixedFloat-style), with the same source funding several related addresses.
• The team is silent in the first hours/days of the drain — no WIPE actions, which are trivial to execute if the admin key isn’t lost.
• The same custom code template appears across several connected wallets that don’t surface publicly.

A recent example: TAC bridge drain (May 2026)

All four markers lined up on the TAC bridge drain: drain through normal admin functions, a trigger wallet with a 10-month legitimate history, FixedFloat funding, no admin reaction for 3+ days. Full breakdown — TAC Bridge Drain 2026.

How to defend yourself

• Check the admin functions before depositing meaningful amounts: is there an upgrade mechanism, is there a timelock, who controls the multisig.
• Prefer immutable contracts for long-term storage.
• Don’t keep everything in one protocol, even when the reputation is solid.