Scams and Token Safety

Crypto Rug Pull Checker Guide: What Scanners Can and Cannot Prove

2026-07-10 · BlockMind Research Team

Key takeaway: A crypto rug pull checker can flag known contract patterns, failed sell simulations, dangerous permissions, holder concentration, or removable liquidity. It cannot prove a token is safe, identify every coordinated wallet, predict future admin actions, or verify a team's off-chain claims. Use several tools, verify the exact contract address, and keep an evidence ledger.


If a scanner shows “low risk,” the correct interpretation is: the checks it ran did not detect the risks they cover at that moment. That is very different from “this token cannot rug.”

Rug pulls can happen through several mechanisms: removing liquidity, making sales impossible, changing taxes, minting supply, dumping concentrated holdings, compromising an admin key, or simply abandoning a project after raising attention. No single API observes every mechanism.

Chainalysis makes the same methodological distinction in its 2025 market-manipulation research: on-chain behavior can identify suspicious patterns, but behavior alone does not prove intent. Its criteria are useful starting points for investigation, not verdicts about every token.

What a rug pull checker actually checks

Different tools cover different slices of risk:

Tool typeUseful forCannot establish by itself
Swap simulatorWhether a modeled buy and sell succeeds; estimated tax and gasThat future sells will work or every route behaves the same
Contract-pattern scannerKnown malicious bytecode/source patterns and risky functionsThat novel or obfuscated logic is harmless
Token-security APIPermissions, taxes, blacklist/whitelist logic, mintability, proxy and holder signalsTeam identity, honest governance, or off-chain promises
Block explorerVerified source, contract creator, holders, transactions, admin callsBeneficial ownership behind every address
Liquidity-lock recordAmount, owner, pool, unlock time, and locker contractToken contract safety, team-token vesting, or permanent liquidity
Audit reportFindings in a defined code version and scopeSafety of excluded code, later upgrades, operations, or governance

Honeypot.is documents a simulation response that may include buy tax, sell tax, transfer tax, gas, maximum buy/sell amounts, and a honeypot result. Its documentation also says fields may be absent if a simulation fails or a result cannot be determined. “Unknown” is not “safe.”

GoPlus returns token-security fields including a honeypot indicator, but its response documentation explicitly allows no value when the result is unknown. Token Sniffer analyzes source code and bytecode against known scam patterns and can add holder and liquidity metrics. Each is useful; each has a bounded detection surface.

Before any check: verify the contract address

Token names and tickers are not identifiers. Anyone can deploy a token with a familiar name or symbol. Start from the project's official documentation, then cross-check the address against at least one independent authoritative listing or protocol interface.

Confirm:

  • chain and network;
  • full contract or mint address, not a shortened visual match;
  • official website and documentation domain;
  • trading pair address;
  • whether the contract is a proxy and, if so, its implementation;
  • whether the source code is verified.

Etherscan explains that source verification matches submitted source code to deployed bytecode and publishes the source for inspection. Verification improves transparency. It is not an audit and does not certify that the logic is safe.

If the address cannot be established confidently, stop. A sophisticated scan of the wrong token produces confidently irrelevant output.

The CLEAR workflow

Use five layers instead of one score: Contract, Liquidity, Equity, Accountability, Reality.

C — Contract behavior and control

Run at least one swap simulation and one contract/security scan. Then inspect the explorer.

Look for:

  • successful buy and sell simulation;
  • taxes and whether an admin can change them;
  • maximum transaction or wallet limits;
  • blacklist, whitelist, pause, cooldown, and transfer-gating logic;
  • mint, burn-from, confiscation, or balance-modification authority;
  • proxy upgradeability and the address controlling upgrades;
  • verified source and correspondence to the current implementation;
  • privileged roles, not just a single owner field.

Do not treat “ownership renounced” as a universal guarantee. OpenZeppelin's access-control documentation shows that contracts can use multiple roles, another contract as owner, or delayed administration. Renouncing one owner does not prove every privileged role disappeared.

Stop rule: A failed or indeterminate sell simulation, unexplained blacklist logic, arbitrary minting, or an upgrade controller the team will not explain is enough to pause the investigation.

L — Liquidity control and exit conditions

Find the real trading pool and identify who owns the position representing liquidity. On Uniswap, v2 positions use fungible UNI-V2 tokens while v3 and v4 positions use NFTs. The wallet holding that token or NFT controls the position unless it is locked or transferred.

Record:

  • pool address and DEX version;
  • current liquidity and depth around realistic trade sizes;
  • each liquidity owner's share;
  • locker contract address, not just a badge on the project's site;
  • percentage locked and exact unlock timestamp;
  • whether locks cover the active pool and price range;
  • other pools from which liquidity can migrate or be removed;
  • the exit impact of a realistic position.

Read Liquidity Locks Explained before treating a lock as dispositive. A partial, short, or wrong-pool lock can look reassuring while leaving the meaningful liquidity removable.

E — Equity and holder concentration

Review holders and label obvious system addresses: burn addresses, pool contracts, bridges, vesting contracts, treasuries, and centralized exchanges. Then examine the remaining wallets.

Questions:

  • What share do the deployer and linked wallets control?
  • Were top wallets funded by the same source?
  • Are tokens split across many fresh addresses?
  • Do insiders have documented vesting, and does it match on-chain reality?
  • Can a small number of holders overwhelm available liquidity?
  • Are reported “holders” largely dust or airdropped wallets?

Wallet count is easy to inflate. Chainalysis found that one controller can manage many addresses in suspicious wash-trading patterns. Address count is not the same as independent ownership.

A — Accountability and evidence

Move off-chain. Verify whether the team, audit, legal entity, roadmap, partnerships, and repositories exist independently of the project's own marketing.

  • Open the audit on the auditor's domain.
  • Match audited commit, chain, and contract address to production.
  • Check unresolved findings and excluded components.
  • Verify named partners on the partner's own site.
  • Inspect repository history for substantive work, not just a recent code dump.
  • Distinguish pseudonymity from fabricated identity.
  • Archive important claims with dates.

An audit is bounded evidence. It does not cover economic manipulation, compromised keys, undisclosed linked wallets, or code deployed after the report.

R — Reality: product, market, and contradictions

Finally, test whether the observable project matches the story.

  • Is there a working product or only a token and roadmap?
  • Do usage, fees, liquidity, and developer activity support claimed traction?
  • Is social attention driven by analysis or referral spam and price promises?
  • Does reported volume align with liquidity and independent venues?
  • What evidence would falsify the bull story?
  • What changed since the scanner's timestamp?

The CFTC advises people not to buy tokens based on a single social-media tip or sudden price spike and to separate hype from facts. That applies even when a clean scanner screenshot is part of the hype.

Build an evidence ledger, not a “safety score”

Use a table you can audit later:

ClaimEvidenceChecked atStatusWhat would change it?
Token can currently be soldTwo independent simulations on specified poolDate/time + blockPass / fail / unknownAdmin change, proxy upgrade, liquidity move
Main liquidity is lockedLocker contract and pool-position ownerDate/time + blockVerified / partial / unknownUnlock, transfer, new active pool
Supply cannot expandVerified implementation and all minter rolesDate/time + blockVerified / false / unknownRole grant or upgrade
Team allocation vestsVesting contract balances and scheduleDate/time + blockVerified / partial / unknownEarly release, migration, side wallets
Audit covers deployed codeAuditor report, commit, and addressReport dateMatch / mismatchUpgrade or redeployment

This format prevents a common mistake: converting several partial checks into one permanent label.

A hypothetical worked example

Suppose Token Z has these results:

  • Honeypot simulation succeeds with ordinary-looking tax today.
  • Source is verified.
  • The owner field is zeroed, but a separate role can pause transfers.
  • 60% of the main v2 LP tokens are locked for 45 days.
  • Two unlabeled wallets funded by the deployer hold 24% of supply.
  • The audit covers an older implementation address.

A one-number scanner might still look favorable because the token is sellable and source is verified. CLEAR produces a different conclusion:

  • Contract: unresolved pause authority.
  • Liquidity: partial, short-duration lock.
  • Equity: linked concentration.
  • Accountability: audit mismatch.
  • Reality: insufficient evidence until those contradictions are explained.

The correct output is not “scam proven.” It is do not rely on the clean simulation; material risk remains unresolved.

What no rug pull checker can prove

  • A team will not exploit a legitimate admin function later.
  • Several wallets are economically independent.
  • A private key or multisig signer will not be compromised.
  • Locked liquidity will remain sufficient as price and volume change.
  • The team will keep building.
  • A partnership or roadmap claim is true.
  • A market maker is not manipulating volume.
  • A contract without known malicious patterns contains no novel trap.
  • A currently sellable token will remain sellable after an upgrade.

Automated tools are strongest at repeatable technical checks. Human investigation remains necessary for identities, incentives, scope, contradictions, and changing control.

How BlockMind fits—and where it does not

A BlockMind Pro agent can help organize a due-diligence investigation, inspect public sources, analyze holder and market context, retain an evidence trail in the Notebook, and monitor a tracked asset for material changes. A free DeepDive report can provide a structured first pass.

Neither is a safety certificate. Your agent can be wrong or outdated, does not replace a smart-contract audit, and cannot prove that an unidentified wallet belongs to a particular person. BlockMind never trades, moves funds, or tells you what to buy or sell.

For the wider workflow, pair this guide with the manual DYOR checklist, honeypot token guide, and memecoin due-diligence checklist.

The Bottom Line

Use a crypto rug pull checker to find questions faster, not to end the investigation. Verify the address, run independent checks, inspect control and liquidity on-chain, map holder concentration, and test off-chain claims.

The most honest result is often “unknown” or “material issues unresolved.” That may feel less satisfying than a green badge, but it reflects what the evidence can actually support.

This article is for research and education, not financial advice. No checker or AI system can determine whether you should buy or sell a token.

Sources

  1. Chainalysis: Crypto market manipulation, wash trading, and pump-and-dump methodology
  2. Honeypot.is: Honeypot check API reference
  3. GoPlus: Token-security response fields
  4. Token Sniffer: Detection and API methodology
  5. Etherscan: What verified contract source means
  6. OpenZeppelin: Contract access control
  7. Uniswap: Ownership of v2, v3, and v4 liquidity positions
  8. CFTC: Beware virtual-currency pump-and-dump schemes