DEV Community

ctrl
ctrl

Posted on

How to spot a honeypot token before you buy (and automate the whole checklist)

Every week someone in a chat I'm in buys a token they can't sell. The pattern is always the same: chart looks organic, Telegram group is buzzing, contract is "renounced" according to a screenshot someone posted. Then they try to sell and the transaction reverts. That's a honeypot, and it is one of the few scams you can reliably detect before putting money in — the evidence is on-chain and public.

Here is the checklist I actually use, and how to automate it.

1. Can you sell? Simulate, don't trust

A honeypot lets you buy but blocks the sell path — usually a hidden condition in transfer() that only the deployer's wallets pass. You cannot see this from the chart, and you can't always see it from the verified source either (obfuscation is an art form).

The reliable way is a buy/sell simulation: fork the chain state, buy the token, immediately try to sell it, and see what happens. honeypot.is does exactly this for Ethereum, BSC and Base — free, no key. If the simulated sell fails or eats 90% in "tax", you have your answer.

2. Read the static flags

GoPlus token security API aggregates most of what you'd check by hand on a block explorer:

  • Owner powers: can the owner edit balances? Pause transfers? Blacklist you after buying? Take back "renounced" ownership?
  • Mint: can supply be inflated into your position?
  • Taxes: a 5% tax is a business model, a 45% sell tax is an exit scam with extra steps.
  • Proxy contracts: upgradeable logic means today's honest contract can be tomorrow's honeypot.
  • Deployer history: wallets that shipped honeypots before tend to do it again.

None of these flags alone is a verdict — USDC is a proxy contract, most stablecoins have an admin — but stacked together they tell a story.

3. Check who holds the bag

If the top 10 wallets hold 80%+ of supply (excluding locked liquidity and burn addresses), the price is whatever they decide it is. Holder concentration plus fresh liquidity plus a deployer wallet funded an hour ago through a mixer is a rug with the fuse lit.

4. TON is not exempt

The same failure modes exist for TON jettons, they just look different: mint authority not revoked, admin address still set, transfer-tax jettons, STON.fi blacklists. Fewer tools cover TON, which is exactly why scammers like it right now.

Automating all of the above

Doing this checklist by hand takes ten minutes per token across four websites. I got tired of it, so all of it is wrapped into a Telegram bot: @RugLens_bot — paste a contract address (EVM or TON), get the full report in a few seconds: honeypot simulation, taxes, owner powers, holder concentration, liquidity, scored 0–100 with plain-language flags. It detects the chain automatically via DEX listings, works inline in any chat (@RugLens_bot <address>), and does 5 checks a day free, which is enough for normal degeneracy levels.

Source and self-hosting instructions: github.com/mrvlyouknowwho/ruglens (MIT).

The one rule that beats every tool

A clean report means "no known trap detected", not "this is a good investment". Tools catch mechanical scams — they don't catch a dev who simply dumps on you with a perfectly honest contract. Size positions like the token can go to zero, because it can.

Top comments (0)