Scams and Token Safety
Crypto Rug Pull Checker Guide: What Scanners Can and Cannot Prove
2026-07-10 · BlockMind Research Team
Key takeaway: A crypto rug pull checker can flag known contract patterns, failed sell simulations, dangerous permissions, holder concentration, or removable liquidity. It cannot prove a token is safe, identify every coordinated wallet, predict future admin actions, or verify a team's off-chain claims. Use several tools, verify the exact contract address, and keep an evidence ledger.
If a scanner shows “low risk,” the correct interpretation is: the checks it ran did not detect the risks they cover at that moment. That is very different from “this token cannot rug.”
Rug pulls can happen through several mechanisms: removing liquidity, making sales impossible, changing taxes, minting supply, dumping concentrated holdings, compromising an admin key, or simply abandoning a project after raising attention. No single API observes every mechanism.
Chainalysis makes the same methodological distinction in its 2025 market-manipulation research: on-chain behavior can identify suspicious patterns, but behavior alone does not prove intent. Its criteria are useful starting points for investigation, not verdicts about every token.
What a rug pull checker actually checks
Different tools cover different slices of risk:
| Tool type | Useful for | Cannot establish by itself |
|---|---|---|
| Swap simulator | Whether a modeled buy and sell succeeds; estimated tax and gas | That future sells will work or every route behaves the same |
| Contract-pattern scanner | Known malicious bytecode/source patterns and risky functions | That novel or obfuscated logic is harmless |
| Token-security API | Permissions, taxes, blacklist/whitelist logic, mintability, proxy and holder signals | Team identity, honest governance, or off-chain promises |
| Block explorer | Verified source, contract creator, holders, transactions, admin calls | Beneficial ownership behind every address |
| Liquidity-lock record | Amount, owner, pool, unlock time, and locker contract | Token contract safety, team-token vesting, or permanent liquidity |
| Audit report | Findings in a defined code version and scope | Safety of excluded code, later upgrades, operations, or governance |
Honeypot.is documents a simulation response that may include buy tax, sell tax, transfer tax, gas, maximum buy/sell amounts, and a honeypot result. Its documentation also says fields may be absent if a simulation fails or a result cannot be determined. “Unknown” is not “safe.”
GoPlus returns token-security fields including a honeypot indicator, but its response documentation explicitly allows no value when the result is unknown. Token Sniffer analyzes source code and bytecode against known scam patterns and can add holder and liquidity metrics. Each is useful; each has a bounded detection surface.
Before any check: verify the contract address
Token names and tickers are not identifiers. Anyone can deploy a token with a familiar name or symbol. Start from the project's official documentation, then cross-check the address against at least one independent authoritative listing or protocol interface.
Confirm:
- chain and network;
- full contract or mint address, not a shortened visual match;
- official website and documentation domain;
- trading pair address;
- whether the contract is a proxy and, if so, its implementation;
- whether the source code is verified.
Etherscan explains that source verification matches submitted source code to deployed bytecode and publishes the source for inspection. Verification improves transparency. It is not an audit and does not certify that the logic is safe.
If the address cannot be established confidently, stop. A sophisticated scan of the wrong token produces confidently irrelevant output.
The CLEAR workflow
Use five layers instead of one score: Contract, Liquidity, Equity, Accountability, Reality.
C — Contract behavior and control
Run at least one swap simulation and one contract/security scan. Then inspect the explorer.
Look for:
- successful buy and sell simulation;
- taxes and whether an admin can change them;
- maximum transaction or wallet limits;
- blacklist, whitelist, pause, cooldown, and transfer-gating logic;
- mint, burn-from, confiscation, or balance-modification authority;
- proxy upgradeability and the address controlling upgrades;
- verified source and correspondence to the current implementation;
- privileged roles, not just a single
ownerfield.
Do not treat “ownership renounced” as a universal guarantee. OpenZeppelin's access-control documentation shows that contracts can use multiple roles, another contract as owner, or delayed administration. Renouncing one owner does not prove every privileged role disappeared.
Stop rule: A failed or indeterminate sell simulation, unexplained blacklist logic, arbitrary minting, or an upgrade controller the team will not explain is enough to pause the investigation.
L — Liquidity control and exit conditions
Find the real trading pool and identify who owns the position representing liquidity. On Uniswap, v2 positions use fungible UNI-V2 tokens while v3 and v4 positions use NFTs. The wallet holding that token or NFT controls the position unless it is locked or transferred.
Record:
- pool address and DEX version;
- current liquidity and depth around realistic trade sizes;
- each liquidity owner's share;
- locker contract address, not just a badge on the project's site;
- percentage locked and exact unlock timestamp;
- whether locks cover the active pool and price range;
- other pools from which liquidity can migrate or be removed;
- the exit impact of a realistic position.
Read Liquidity Locks Explained before treating a lock as dispositive. A partial, short, or wrong-pool lock can look reassuring while leaving the meaningful liquidity removable.
E — Equity and holder concentration
Review holders and label obvious system addresses: burn addresses, pool contracts, bridges, vesting contracts, treasuries, and centralized exchanges. Then examine the remaining wallets.
Questions:
- What share do the deployer and linked wallets control?
- Were top wallets funded by the same source?
- Are tokens split across many fresh addresses?
- Do insiders have documented vesting, and does it match on-chain reality?
- Can a small number of holders overwhelm available liquidity?
- Are reported “holders” largely dust or airdropped wallets?
Wallet count is easy to inflate. Chainalysis found that one controller can manage many addresses in suspicious wash-trading patterns. Address count is not the same as independent ownership.
A — Accountability and evidence
Move off-chain. Verify whether the team, audit, legal entity, roadmap, partnerships, and repositories exist independently of the project's own marketing.
- Open the audit on the auditor's domain.
- Match audited commit, chain, and contract address to production.
- Check unresolved findings and excluded components.
- Verify named partners on the partner's own site.
- Inspect repository history for substantive work, not just a recent code dump.
- Distinguish pseudonymity from fabricated identity.
- Archive important claims with dates.
An audit is bounded evidence. It does not cover economic manipulation, compromised keys, undisclosed linked wallets, or code deployed after the report.
R — Reality: product, market, and contradictions
Finally, test whether the observable project matches the story.
- Is there a working product or only a token and roadmap?
- Do usage, fees, liquidity, and developer activity support claimed traction?
- Is social attention driven by analysis or referral spam and price promises?
- Does reported volume align with liquidity and independent venues?
- What evidence would falsify the bull story?
- What changed since the scanner's timestamp?
The CFTC advises people not to buy tokens based on a single social-media tip or sudden price spike and to separate hype from facts. That applies even when a clean scanner screenshot is part of the hype.
Build an evidence ledger, not a “safety score”
Use a table you can audit later:
| Claim | Evidence | Checked at | Status | What would change it? |
|---|---|---|---|---|
| Token can currently be sold | Two independent simulations on specified pool | Date/time + block | Pass / fail / unknown | Admin change, proxy upgrade, liquidity move |
| Main liquidity is locked | Locker contract and pool-position owner | Date/time + block | Verified / partial / unknown | Unlock, transfer, new active pool |
| Supply cannot expand | Verified implementation and all minter roles | Date/time + block | Verified / false / unknown | Role grant or upgrade |
| Team allocation vests | Vesting contract balances and schedule | Date/time + block | Verified / partial / unknown | Early release, migration, side wallets |
| Audit covers deployed code | Auditor report, commit, and address | Report date | Match / mismatch | Upgrade or redeployment |
This format prevents a common mistake: converting several partial checks into one permanent label.
A hypothetical worked example
Suppose Token Z has these results:
- Honeypot simulation succeeds with ordinary-looking tax today.
- Source is verified.
- The owner field is zeroed, but a separate role can pause transfers.
- 60% of the main v2 LP tokens are locked for 45 days.
- Two unlabeled wallets funded by the deployer hold 24% of supply.
- The audit covers an older implementation address.
A one-number scanner might still look favorable because the token is sellable and source is verified. CLEAR produces a different conclusion:
- Contract: unresolved pause authority.
- Liquidity: partial, short-duration lock.
- Equity: linked concentration.
- Accountability: audit mismatch.
- Reality: insufficient evidence until those contradictions are explained.
The correct output is not “scam proven.” It is do not rely on the clean simulation; material risk remains unresolved.
What no rug pull checker can prove
- A team will not exploit a legitimate admin function later.
- Several wallets are economically independent.
- A private key or multisig signer will not be compromised.
- Locked liquidity will remain sufficient as price and volume change.
- The team will keep building.
- A partnership or roadmap claim is true.
- A market maker is not manipulating volume.
- A contract without known malicious patterns contains no novel trap.
- A currently sellable token will remain sellable after an upgrade.
Automated tools are strongest at repeatable technical checks. Human investigation remains necessary for identities, incentives, scope, contradictions, and changing control.
How BlockMind fits—and where it does not
A BlockMind Pro agent can help organize a due-diligence investigation, inspect public sources, analyze holder and market context, retain an evidence trail in the Notebook, and monitor a tracked asset for material changes. A free DeepDive report can provide a structured first pass.
Neither is a safety certificate. Your agent can be wrong or outdated, does not replace a smart-contract audit, and cannot prove that an unidentified wallet belongs to a particular person. BlockMind never trades, moves funds, or tells you what to buy or sell.
For the wider workflow, pair this guide with the manual DYOR checklist, honeypot token guide, and memecoin due-diligence checklist.
The Bottom Line
Use a crypto rug pull checker to find questions faster, not to end the investigation. Verify the address, run independent checks, inspect control and liquidity on-chain, map holder concentration, and test off-chain claims.
The most honest result is often “unknown” or “material issues unresolved.” That may feel less satisfying than a green badge, but it reflects what the evidence can actually support.
This article is for research and education, not financial advice. No checker or AI system can determine whether you should buy or sell a token.
Sources
- Chainalysis: Crypto market manipulation, wash trading, and pump-and-dump methodology
- Honeypot.is: Honeypot check API reference
- GoPlus: Token-security response fields
- Token Sniffer: Detection and API methodology
- Etherscan: What verified contract source means
- OpenZeppelin: Contract access control
- Uniswap: Ownership of v2, v3, and v4 liquidity positions
- CFTC: Beware virtual-currency pump-and-dump schemes