You saw a token. The chart looks good. The community is buzzing. You’re about to click “Buy.”

Stop. Spend five minutes running through this checklist first. The difference between a legitimate token and a honeypot that takes your money and never lets you sell is usually visible on-chain — if you know where to look.

BLUF: Six things to check before buying any token — (1) contract source is verified, (2) liquidity is locked, (3) holders are distributed, (4) no hidden mint function, (5) buy/sell tax is reasonable, (6) both buys and sells appear in the transaction history. If any check fails, walk away.

Step 1: Is the Contract Source Verified?

Unverified contracts are the number one red flag. When source code is not verified on a block explorer like Etherscan, you have no way to know what the contract actually does. It could contain a hidden mint function, a self-destruct, or a transfer restriction that prevents you from ever selling.

How to Check

  1. Find the token contract address from the project’s official site or a trusted DEX. Do not trust addresses pasted in Telegram or Discord.
  2. Paste the address into Etherscan (or the relevant chain’s explorer).
  3. Look for a green checkmark next to “Contract.” If it says “Contract (unverified),” that’s a hard no.

What to Look For in Verified Source

SignalSafeDangerous
StandardFollows ERC-20 cleanlyCustom transfer logic with extra conditions
Owner privilegesNone, or renouncedOwner can mint, pause, or freeze transfers
Upgrade patternNo proxy, or transparent documented proxyHidden proxy that can silently change all logic
Functionstransfer, approve, transferFromtransfer with extra require statements that could block sells

A verified contract with a standard ERC-20 implementation and renounced ownership is a good start. A verified contract with 2,000 lines of complex Solidity and active owner privileges deserves a deeper read — or a pass.

Step 2: Is the Liquidity Locked?

Liquidity pools make trading possible on decentralized exchanges. If the team can pull the liquidity out at any moment, they can execute a rug pull — leaving holders with tokens they cannot sell to anyone.

How to Check

  1. Go to the token’s liquidity pool on Uniswap, PancakeSwap, or whatever DEX it trades on.
  2. Check who holds the LP tokens. If the deployer or a small number of addresses hold most of the LP tokens with no lock, they can drain the pool anytime.
  3. Look for time-locked liquidity on platforms like Team Finance, PinkSale, or UncxNetwork. A legitimate lock shows a release date months or years in the future.

Red Flags

  • Liquidity “locked” for only 7-30 days (just long enough to build trust before exit)
  • LP tokens held by the deployer’s EOA with no lock contract
  • Liquidity added and removed multiple times in the token’s history

Step 3: Is the Holder Distribution Healthy?

If the top 5 holders (excluding the liquidity pool and exchange wallets) own more than 50% of the supply, a single wallet can crash the price to zero by selling. This concentration is also a prerequisite for rug pulls — the team holds most of the supply and dumps on retail buyers.

How to Check

  1. On the block explorer, click “Holders.”
  2. Count the top 10 holders. Subtract obvious contract addresses (liquidity pools, staking contracts, exchange wallets).
  3. Calculate what percentage of circulating supply the remaining top 5 wallets control.
DistributionRisk Level
Top 5 < 15% of supplyReasonable
Top 5 = 15-30%Caution — check if these are team wallets with vesting
Top 5 > 30%High risk — a single coordinated dump will tank the price
Deployer holds > 20%Critical risk — this is a pre-rug setup

Also look for “sleeper wallets” — addresses that received large allocations at launch and have not moved tokens yet. These are dump reserves.

Step 4: Is There a Hidden Mint Function?

A mint function lets someone create new tokens out of thin air. Hidden mint functions are how teams inflate supply and dump on buyers after the price has been pumped. Even if the contract is verified, a mint function buried in modifier logic or an external call can be easy to miss.

How to Check

  1. Search the verified source code for mint, _mint, Mintable, or increaseAllowance patterns.
  2. Check if the contract imports OpenZeppelin’s ERC20Mintable or similar upgradeable extensions.
  3. Look for onlyOwner or onlyRole modifiers on sensitive functions — who has the key?
  4. Use an automated scanner. Our token risk API runs these checks automatically, along with 20+ other safety signals sourced from GoPlus Security.

A token that can be minted by anyone, or by an owner who hasn’t renounced control, is not safe to hold.

Step 5: What’s the Buy/Sell Tax?

Many tokens implement transaction taxes — a percentage deducted on each buy, sell, or transfer. Some taxes fund legitimate project development. Others are structured to trap buyers: 2% buy tax, 50% sell tax. You can buy in, but selling costs half your tokens.

How to Check

  1. Read the contract’s transfer function for tax logic (look for fee, tax, devFee, liquidityFee).
  2. Check if tax rates are hardcoded or adjustable by the owner. Adjustable tax = the team can set sell tax to 99% at any time.
  3. Use GoPlus Security or our token security API to get an automated tax report.
Tax SetupVerdict
0% or low fixed tax (1-5%)Normal
Tax adjustable by ownerRisky — can be raised to trap holders
Buy tax low, sell tax high (>15%)Designed to trap buyers
Dynamic tax based on wallet size or timingExtremely risky — anti-whale logic can be weaponized

Step 6: Can People Actually Sell?

This is the check that catches honeypots. A honeypot token lets you buy but blocks sells — either through a hardcoded blocklist, a transfer override that always fails for non-owner addresses, or a tax that makes selling economically pointless.

How to Check

  1. Open the token’s transaction history on the block explorer.
  2. Filter for “Transfer” events. Look for both inbound and outbound transfers from regular wallets (not just the deployer and DEX).
  3. If you only see buys (transfers from DEX to wallets) and zero sells (transfers from wallets to DEX), the sell function may be blocked.
  4. Try a test transaction with a very small amount. If the sell reverts, it’s a honeypot.

Honeypot Patterns in Code

// Normal ERC-20 transfer — no restrictions
function _transfer(address from, address to, uint256 amount) internal {
    balances[from] -= amount;
    balances[to] += amount;
}

// Honeypot pattern — sells blocked for non-owners
function _transfer(address from, address to, uint256 amount) internal {
    if (to == DEX_ADDRESS && !isOwner(from)) {
        revert("Sells disabled");
    }
    balances[from] -= amount;
    balances[to] += amount;
}

The first function is standard. The second will let you buy but never sell. Any custom logic inside _transfer that checks from, to, or amount against conditions beyond basic balance checks is a warning sign.

Automating the Full Check

Running all six steps manually for every token is tedious. The faster approach: use an API that checks everything in one call.

Our token risk endpoint aggregates GoPlus Security data, on-chain holder analysis, and contract verification into a single response — covering honeypot detection, tax analysis, holder concentration, liquidity lock status, and 20+ additional signals. You get a pass/fail for each category and an overall risk score, typically in under a second.

For checking a wallet address before interacting (is this address associated with known scams, sanctions, or phishing contracts), use the address risk endpoint.

The 30-Second Version

In a hurry? Answer these three questions:

  1. Is the contract verified? No → don’t buy.
  2. Can people actually sell? Check transaction history for sell transactions. No sells visible → probably a honeypot.
  3. Who holds the supply? Top 5 wallets hold >30% → the dump is coming.

If all three pass, the token clears the basic bar. That doesn’t make it a good investment — but at least it’s not an outright scam.