SKI MASK DOG — A Masterclass in Rug Pull Mechanics
Axiom Security Base3 min read·Just now--
BACKGROUND
SKI MASK DOG is a meme token deployed on the Base chain. Meme tokens are a staple of crypto culture — community-driven, often with no utility beyond speculation. Most are harmless. Some are engineered to extract value from buyers.
The contract implements a standard ERC20 token with added tax mechanics: buy and sell taxes, anti-bot measures, and administrative functions for the contract owner. These features are common in meme tokens and aren’t inherently malicious. What makes SKI MASK DOG different is the specific implementation of these features — or rather, the specific lack of constraints on them.
THE VULNERABILITIES
**CRITICAL Finding 1: Unrestricted ETH Drainage**
The `clearstuckEth()` function allows ANY address — not just the owner — to withdraw the entire ETH balance from the contract:
```solidity
function clearstuckEth() external {
// No access control check — anyone can call this
address(msg.sender).transfer(address(this).balance);
}
```
This is not a sophisticated exploit. There is no access control modifier. No `onlyOwner` check. No whitelist. The function sends the contract’s entire ETH balance to whoever calls it. Any MEV bot, any random wallet, anyone can drain it.
**CRITICAL Finding 2: Unlimited Tax Manipulation**
The owner can set sell tax to 100% instantly via `ForceTaxCooldown()`. Combined with the ability to blacklist addresses, this creates a classic rug pull mechanism:
1. Users buy the token (buy tax may be reasonable)
2. Owner sets sell tax to 100%
3. Users cannot sell — 100% of the proceeds go to the tax recipient
4. Owner drains accumulated ETH via the unrestricted withdrawal function
TECHNICAL DEEP DIVE
This was one of the rare contracts where all three of our tools succeeded:
- **Slither**: 43 findings, including critical access control issues
- **Aderyn**: 2 HIGH severity (access control), 17 LOW
- **Mythril**: Completed full analysis with 0 additional findings (the issues are in the business logic, not in low-level execution paths)
Beyond the two CRITICAL findings, the scanner also identified:
- AXM-003 (HIGH): Reentrancy in `openTrading()` — external calls to Uniswap before state updates for `swapEnabled` and `tradingOpen`
- AXM-004 (HIGH): Reentrancy in `_transfer()` — `swapTokensForEth()` makes external calls before updating state
- AXM-005 (MEDIUM): Inconsistent access control after ownership renouncement — some functions check `_owner` directly instead of using the `onlyOwner` modifier
- AXM-006 (MEDIUM): Use of `tx.origin` for transfer delay, which can be bypassed via intermediary contracts
100% source coverage. Every line of code was analyzed. Safety Score: 5/100.
LESSONS LEARNED
Before buying any token, check these patterns:
1. **Unrestricted ETH withdrawal functions** — Any function that sends ETH should have explicit access control. If `clearstuckEth()` or similar has no `onlyOwner` modifier, walk away.
2. **Adjustable tax above 25%** — If the owner can set tax to 100%, they can trap all holders. Look for hardcoded maximum tax caps in the contract.
3. **Blacklist capability** — Can the owner prevent specific addresses from selling? Combined with high taxes, this is a rug pull enabler.
4. **No timelocks on admin functions** — Every parameter change should have a delay so users can exit before new settings take effect.
This isn’t sophisticated. It’s a checklist. Four red flags, any one of which should stop you from buying. All four together, with a Safety Score of 5/100, is as clear a warning as automated tools can give.
Free scans at axiom-security.vercel.app.