Rules & Methodology — Rugpull Monitor v2

LP Drain Rules

Rule	Window	Threshold	Severity

LP drain percentage is calculated as:

LP_change = (current_LP - previous_LP) / previous_LP × 100

The monitor finds the snapshot closest to now - windowSeconds and compares against current liquidity. All thresholds are checked independently; a single rugpull event can trigger multiple severity levels.

Price Crash Rules

Rule	Window	Threshold	Severity

Thresholds are intentionally high to avoid false alerts from normal volatility in alpha tokens. The longer windows naturally filter out flash crashes that self-correct.

Pump & Dump Rule

The pump & dump rule fires when both conditions are true simultaneously:

This pattern is the hallmark of a classic P&D: the token price is pumped (attracting buyers) while liquidity is simultaneously drained (the exit). Requiring both conditions together avoids false positives from legitimate rallies or routine LP adjustments.

Zero Liquidity Rule

Fires immediately when liquidity drops to near-zero from a meaningful baseline:

The minimum previous threshold prevents spam on tokens that were never meaningfully liquid. Once a token hits zero liquidity it is effectively non-tradeable.

LP Concentration Thresholds

Rule	Threshold	Severity	Chains	Explanation

LP concentration checks are performed on-chain against PumpSwap and Raydium AMM pools. These checks run on a distributed 8-hour cycle (one token at a time) to avoid rate limiting.

Why does this matter? Normal DEX liquidity is broadly distributed. When 1–3 addresses hold the vast majority of LP tokens, they can remove all liquidity in a single transaction, crashing the token to zero.

How Snapshot Collection Works

The monitor polls multiple data providers on each cycle. CoinGecko and Solscan poll every 60 seconds; Birdeye polls every 5 minutes. Each poll captures current price and total liquidity and stores the result in an in-memory ring buffer keyed by token address and provider.

Ring Buffer (per-provider)

Each provider maintains its own snapshot history per token (~20 snapshots, ~20 min for 60s providers, ~100 min for Birdeye). Old snapshots are evicted automatically. The buffer is lost on process restart and rebuilds within the first few poll cycles.

Token: $EXAMPLE ├── coingecko (60s interval) │ ├── ts: now → LP: $167,631 Price: $0.001512 │ ├── ts: now - 1m → LP: $220,500 Price: $0.001601 │ ├── ts: now - 5m → LP: $235,100 Price: $0.001650 │ └── ts: now - 10m → LP: $240,000 Price: $0.001680 ├── birdeye (5m interval) │ ├── ts: now → LP: $172,000 Price: $0.001510 │ └── ts: now - 5m → LP: $238,000 Price: $0.001648 └── solscan (60s interval) ├── ts: now → LP: $165,800 Price: $0.001515 └── ts: now - 5m → LP: $233,500 Price: $0.001649

Rule Evaluation

Rules are evaluated per provider independently. Each provider's ring buffer is checked against the rule thresholds. Raw alerts from all providers are then deduped by (token, rule) — if multiple providers trigger the same rule, they produce one consolidated alert with source agreement info.

// For each active provider:
prev = ringBuffer.find(provider, ts >= now - 300)  // that provider's snapshot ~5m ago
change = (current.lp - prev.lp) / prev.lp * 100
if (change <= -30) rawAlerts.push({ provider, ... })

// After all providers evaluated:
dedup(rawAlerts)  // group by (token, rule) → consolidated alerts

Alert Cooldown

Each (token, rule, severity) combination has an independent 5-minute cooldown to prevent alert spam during sustained events. A token can still trigger alerts for different rules or severities within the same window.

Example: If $TOKEN fires LP Drain (1m) Risk at 10:00, the next LP Drain (1m) Risk alert for that token is suppressed until 10:05. However, LP Drain (5m) High can still fire during this period if its own cooldown has expired.

Cooldowns are in-memory and reset on process restart. This is intentional — after a restart, all suppression is lifted so legitimate events are not missed during recovery.

Data Sources & Multi-Source Evaluation

Providers

v2 fetches price and liquidity data from multiple independent providers and evaluates rules against each provider's data separately. This cross-verification reduces false positives from stale or inaccurate data in any single source.

Provider	Solana	Mantle	Data	Poll Interval
CoinGecko	Yes	Yes	Price + per-pool liquidity (summed from pools, not pre-calculated)	60s
Birdeye	Yes	Yes	Price + bilateral liquidity (via `multi_price` with `include_liquidity`)	5 min
Solscan	Yes	No	Price + liquidity (per-token fetch)	60s

Source Agreement & Dedup

After each poll cycle, raw alerts from all providers are grouped by (token, rule). If multiple providers trigger the same rule for the same token, they are consolidated into a single alert showing how many sources agree.

// Example: LP Drain 5m triggered by 2 of 3 providers
✅ All sources agree (3/3):      ← high confidence
⚠️ Partial agreement (1/3):    ← MANUAL CHECK REQUIRED

Partial agreement alerts are flagged with MANUAL CHECK REQUIRED since a single-source trigger may indicate data lag rather than a real event. Each source's numbers are shown in the alert for manual comparison.

Birdeye Rate Limiting

Birdeye polls at a slower interval (5 min vs 60s) to conserve API credits (CU). The system checks remaining CU via Birdeye's /utils/v1/credits endpoint every 10 minutes. If remaining credits drop below 5%, Birdeye is halted permanently and a debug alert is sent. Resume manually via POST /api/providers/birdeye/resume.

Impact on short-window rules: Since Birdeye only polls every 5 minutes, the 1-minute and 2-minute rules (LP Drain 1m, Price Crash 2m) will never fire from Birdeye data — there's no snapshot close enough in its ring buffer. These short-window rules rely on CoinGecko (60s polling). Birdeye contributes to 5m+ rules as a cross-verification source.

LP Concentration (Solana only)

LP token holder distribution is fetched directly from Solana RPC by querying the token accounts of the LP mint for each pool. PumpSwap AMM and Raydium AMM v4 pools are supported. Checks run on a distributed 8-hour cycle (one token at a time). Mantle LP concentration is not yet implemented.

Supported Chains

Chain

Solana (SOL)

Chain

Mantle (MNT)