TL;DR: I was tired of not knowing whether a token contract was about to drain my wallet. So I built Rugrat — a real-time EVM smart contract scanner that analyzes deployed bytecode for rug-pull patterns, runs on-chain state checks, and scores risk across 8 categories. It scans a contract in ~3 microseconds. No verified source code required. This is the story of why I built it and what I learned about adversarial smart contracts along the way.
The Problem No One Talks About Honestly
Here's the thing about crypto: everyone knows rug pulls happen. The stats are ugly — billions lost annually. But the tooling to detect them? It's either:
- Too slow — waiting 30 seconds for a scan while the liquidity drains
- Too dependent on verified source — most scam tokens never verify on Etherscan
-
Too shallow — checking if
owner()returns zero and calling it a day - Too opaque — "Risk Score: 78" with no explanation of why
I'd been burned a few times. Not life-changing money, but enough to make me angry. And the anger wasn't at the scammers — it was at myself for not understanding what I was looking at. I could read Solidity, kind of. But when someone deploys a contract with a hidden fee function that can be cranked to 100% after launch? That's not in the README.
So I decided: I'm going to understand this problem deeply enough to build something that catches it.
Starting From Ground Truth
Before writing a single line of code, I needed data. Not vibes, not Twitter threads — labeled, verified data.
I collected datasets of confirmed malicious contracts and known benign ones from multiple research sources, covering rug-pull types like unauthorized minting, balance leaking, transfer limits, and several categories of honeypot traps.
Then I built offline tooling to analyze these corpora — computing precision and recall for dozens of pattern detectors against the labels.
What I Found
Some patterns are almost perfectly discriminative. A tradingEnabled boolean in the transfer path that the owner controls? Never appeared in a single benign contract in our dataset. Same for mutable max transaction amounts and anti-whale logic that can be toggled by the deployer.
The first "aha" moment: rug pulls aren't subtle. They're structurally distinct. The patterns are there — you just need to look at the right level.
And that level isn't Solidity source code. It's the bytecode.
Why Bytecode? Why Not Source Code?
Only ~30% of contracts on Ethereum are verified on Etherscan. Scam tokens almost never verify. If your scanner requires source code, you've already lost the battle.
Bytecode analysis covers 100% of deployed contracts. Every public function, every storage operation, every control flow path is encoded in the bytecode whether the deployer wants you to see it or not. You can't add comments to make SELFDESTRUCT look friendly.
Rugrat works directly on raw deployed bytecode. No Etherscan API key. No source code. No waiting for verification that will never come.
What Rugrat Actually Does
When you paste a contract address into Rugrat, here's what happens:
Static Analysis (~3 microseconds)
The engine examines the raw bytecode for structural patterns associated with rug pulls:
- Function signatures — identifying risky admin functions (blacklisting, fee manipulation, minting, pause controls) even without source
- Opcode patterns — detecting proxy mechanisms, kill switches, and hidden state manipulation
- Compound rule evaluation — combining multiple signals across 8 risk categories, because individual features can be benign but certain combinations are not
Each contract gets a risk score with a full breakdown: which categories flagged, which specific patterns matched, and why they matter.
On-Chain State Checks
Static analysis tells you what a contract can do. On-chain checks tell you what it has done:
- Ownership — Has the owner renounced? Or is someone still holding the keys?
- Liquidity — Does a DEX pair exist? Is there real liquidity?
- LP Lock Status — Is the liquidity provider token locked? In which locker? For how long?
- Proxy Detection — Is this an upgradeable contract that can be swapped out?
- Honeypot Simulation — Can you actually sell this token, or will the transaction fail?
This is where it gets decisive. A contract with a blacklist function and a non-renounced owner and unlocked liquidity and a failing sell simulation? That's not ambiguous.
The Result
You get a full risk report: overall score, risk level (Clean → Critical), category-by-category breakdown, specific findings with severity ratings, and the complete on-chain state. Everything explained, nothing hidden behind a magic number.
Real-Time Surveillance: The Live Feed
The scan-on-demand feature is useful, but the live feed is what changes how you think.
Rugrat monitors new contract deployments across 5 EVM chains — Ethereum, BSC, Base, Polygon, and Arbitrum. Every new contract gets scanned automatically and streamed to the UI in real-time via Server-Sent Events, color-coded by risk level.
Open the page. Watch. See what's deploying right now.
Watching the feed for 10 minutes and seeing how many contracts deploy with blacklist functions and mutable fees… it's eye-opening. The volume of contracts with risky patterns is much higher than most people expect.
Five Chains, One Scanner
The same detection pipeline works identically across all supported networks:
| Chain | DEX Coverage |
|---|---|
| Ethereum | Uniswap V2 |
| BSC | PancakeSwap V2 |
| Base | Uniswap V2 |
| Polygon | QuickSwap |
| Arbitrum | Camelot |
Each chain has its own DEX routing, liquidity locker contracts, and native token configuration. The analysis is identical — same rules, same bytecode patterns, same risk categories. Select your chain and scan.
The Telegram Bot
The web UI is great for surveillance, but sometimes you just want to check a contract from your phone before aping in.
So I built a Telegram bot that runs the entire detection engine — same analysis, same on-chain checks, same risk scoring. No separate codebase, no watered-down version.
The flow:
- Send
/start— get a welcome message with all 5 supported chains - Paste any
0x...address — inline buttons ask which chain - Tap a chain — full scan report delivered right in the chat
Or use /scan eth 0x1234... for a one-shot command. Risk score, category breakdown, on-chain state, explorer link — all formatted and delivered in seconds.
It runs 24/7 as a lightweight background service. 12MB binary, ~10MB memory footprint.
Why Rust?
Speed was non-negotiable. If you're monitoring new contract deployments in real-time across 5 chains, each scan needs to take essentially no time. The actual bytecode analysis runs in ~3 microseconds — that's 300× under a 1ms budget.
The real bottleneck is network I/O to the RPCs (~200-500ms per eth_getCode call). The analysis itself is noise compared to fetching the data. That headroom means we can add more rules, more chains, and more checks without ever worrying about the scan engine.
What I Learned About Adversarial Smart Contracts
Building this changed how I think about the space:
1. Rug pulls are not sophisticated. Most use the same dozen patterns. The scammers aren't brilliant — they're using templates and tutorials. The problem isn't that scams are hard to detect. It's that nobody's looking at the bytecode.
2. Compound patterns beat individual signals. A mint function alone isn't malicious — ERC-20 tokens need it. But mint + blacklist + mutable fees + owner not renounced? That's a combination that appeared in malicious contracts 100% of the time in our dataset — and never in benign ones.
3. On-chain state is the tiebreaker. Static analysis tells you what a contract could do. Ownership status, liquidity locks, and honeypot simulation tell you whether it will.
4. The real arms race hasn't started. Current rug-pull techniques are detectable because nobody was systematically detecting them at the bytecode level. As scanners improve, attackers will evolve — metamorphic contracts, time-delayed activation, cross-contract splitting. But there's still enormous low-hanging fruit.
5. Speed is a feature, not a luxury. If your scanner takes 30 seconds and the rug pull executes in block N+1, your scan result arrives at block N+3. Too late. Microsecond analysis means you can scan before deciding to trade.
What's Next
- Behavioral analysis — Post-deployment transaction pattern monitoring
- Cross-contract analysis — Factory patterns, deployer reputation
- Uniswap V3 support — Concentrated liquidity honeypot simulation
- API for integrators — Let wallets and DEX frontends query risk scores before users swap
Try It
Live: https://rugrat.network
Paste any contract address. Pick a chain. See the full risk breakdown in microseconds.
Or watch the live feed and see what's deploying right now. You might be surprised.
Rugrat — fast little snitch for shady contracts.
Top comments (0)