How to Check If a New Token Is a Scam

How to Check If a New Token Is a Scam: A Complete 2025 Due-Diligence Playbook

New tokens launch every day. Some are legitimate experiments; many are designed to separate you from your money. This practical guide teaches you a repeatable, step-by-step workflow to vet tokens across EVM chains (Ethereum, Base, BNB Chain, Polygon), Solana, and more, covering contract risks, liquidity traps, social manipulation, exchange myths, and operational hygiene. Keep this open while you research.

Beginner → Advanced Due Diligence • Token Safety • Updated: 11/10/2025
TL;DR.
  • Scam tokens usually share the same fingerprints: honeypot code (you can buy but can’t sell), hidden minting (infinite supply), blacklists/whitelists, transfer taxes set to 100%, upgradeable proxy rugs, and liquidity that isn’t locked.
  • Run a four-layer check: (1) Identify the correct contract, (2) Audit the code & permissions, (3) Analyze liquidity & holders, (4) Validate off-chain claims (team, socials, listings, audits).
  • Never buy because of FOMO or screenshots. Simulate a tiny test trade, verify approvals, and assume the risk is worse than advertised until proven otherwise.

1) Mindset & quick red-flags

The biggest advantage scammers have is your urgency. Slow down and apply a checklist. Expect that any token under a week old, with anonymous deployers and meme-like branding, could be engineered to trap you. Your job is to disprove the scam hypothesis, not to confirm your hope.

  • Red-flags in 10 seconds: No verified contract, no source code, no docs, “renounced” but still upgradeable via proxy, huge taxes, or LP not locked.
  • Red-flags in 1 minute: Deployer also controls the top holders; trading toggled on/off via owner; recent mint events after launch; suspicious external calls in _transfer.
  • Red-flags in 5 minutes: Claimed listings that don’t exist, fake audit images, botted social metrics, website registered days ago, Telegram mods banning basic questions.
Risk Funnel (Start Wide → Filter Fast)
[Identify the real contract] → [Code & permissions] → [LP & holders] → [Off-chain claims]
            Drop if any layer fails. You only proceed if all previous layers are clean.

2) A 4-Layer Vetting Workflow (EVM + Solana)

Use this every time. It’s chain-agnostic and fast once you practice.

Layer 1 — Identify the correct contract

  • Start from the project’s official site or pinned tweet. If the contract isn’t prominently listed, that’s a flag.
  • Cross-check on a reliable explorer (Etherscan, Basescan, BscScan, Polygonscan, Solscan/Explorer). On EVM, look for verified contract with source code and compiler settings.
  • Beware of look-alike tickers. Tickers are not unique; only the contract address identifies the asset.

Layer 2 — Code & permissions

  • On EVM, scan for: mint functions, owner-only functions, blacklist/whitelist checks, fee setters, trading toggles, and proxy patterns (UUPS/Transparent upgradable).
  • Confirm ownership status: renounced or time-locked? If “renounced,” verify that the proxy admin is not still upgradeable.
  • Check libraries like OpenZeppelin versions; look for custom _transfer logic that can revert sells or set taxes dynamically.

Layer 3 — Liquidity & distribution

  • Which DEX pair is primary? How old is the pool? What was the initial liquidity? Is LP locked (and where)? How long?
  • Top holders: any >2–3% besides LP/treasury? Are “airdrop” wallets clustering to one controller? Are CEX deposit addresses holding huge chunks?
  • Track deployer funding path: Where did the deployer’s ETH/SOL come from? Mixers/exploit tags are obvious red flags.

Layer 4 — Off-chain claims

  • Exchange listings: verify on the exchange’s own announcements page.
  • Audits: verify links on the auditor’s domain. “Certificate” images are meaningless.
  • Team: real LinkedIn/GitHub? Whitepaper beyond buzzwords? Domain age and legal pages?

3) Smart-contract checks: honeypots, hidden mints, taxes & proxies

Most technical scams are just variations of a few levers. Learn to spot them fast.

ERC-20 Transfer Path (Common Trap Hooks) _transfer() Fee/Tax Logic Blacklist/Whitelist Trading Toggle Revert Danger signs: owner-only tax setters, dynamic tax = 100%, sell-only revert, hidden external calls, mint on transfer, proxy admin retaining power.
Common hooks used to trap sellers or siphon tokens.

A) Honeypot patterns

  • Buys succeed, sells revert. Often implemented by checking msg.sender against a whitelist or DEX router and reverting for everyone else.
  • Dynamic tax set to 100% on sells; tokens “transfer,” but the fee captures everything back to the owner.
  • How to test: simulate a sell on an explorer with calldata decoding, or use a reputable honeypot tester. Always verify the tester itself is legit.

B) Hidden mint & supply control

  • Look for _mint reachable by owner or by an unrestricted external function. Some use mint on transfer to self.
  • Check for _burn fakes: “burned” tokens actually sent to an owner-controlled address, not the zero address.
  • Scan for role-based access (Ownable/AccessControl). If MINTER_ROLE is held by deployer or a proxy admin, it’s risky.

C) Blacklists, whitelists & trading toggles

  • Functions named like setTradingEnabled, setWhitelist, excludeFromFee, setMaxTxAmount, setMaxWallet can be weaponized.
  • Some contracts check if recipient is pair → then apply sell tax. Owners can update pair addresses to trap sellers.

D) Proxies & fake “renounce”

  • Upgradeable (UUPS/Transparent) proxies separate implementation from proxy admin. Even if Ownable.owner = 0x0, proxy admin might still upgrade the logic and rug.
  • How to check: On Etherscan/Basescan, see “More Info → Is this a proxy?” and view Proxy Admin. Inspect the admin’s permissions and any timelocks/multisigs.

E) Taxes & fee routers

  • Moderate buy/sell fees exist in some memecoins, but anything >10% deserves extreme caution.
  • Examine where fees go—marketing wallets, liquidity managers, or unverified routers.

4) Liquidity, pools & holder forensics

Even “clean” code can rug by abusing liquidity and distribution.

Liquidity Lifecycle Initial Add Lock / Burn LP Liquidity Growth Potential Remove / Rug Ask: Who controls the LP? Is it time-locked? Burned? Multisig? Is the lock credible?
If LP isn’t locked or is controlled by a single EOA, price can be nuked instantly.
  • LP ownership: Is the LP token burned (sent to 0xdead) or locked with a reputable locker? Verify on-chain.
  • Pool age & history: Use DEX analytics (DexScreener, GeckoTerminal) to see when the pool was created, liquidity inflows/outflows, and sudden removals.
  • Holder distribution: Pie charts are deceiving. Open the top 50 holders; look for clusters funded by the same wallet; examine transfer graphs.
  • Team/treasury wallets: Are they labeled, time-locked, or vesting? Any whale selling into every pump?

5) Social & marketing deception patterns

  • Fake partnerships: Screenshots or logos pasted onto images. Check the alleged partner’s official blog or X account.
  • Botted growth: New Twitter with 100k followers but low genuine engagement; identical comments from “army” accounts.
  • Telegram/Discord theater: Hyperactive mods, deleted questions about contract, automatic bans for asking to see the team’s wallets.
  • “Audit” JPGs: Real audits are PDFs on the auditor’s site with a hash. Even then, audits don’t equal safety, many rugs were “audited.”
  • “CEX listing tomorrow” bait: Listings are announced by the exchange, not by the token first. Verify in the exchange’s newsroom.

6) Step-by-step walkthroughs (Ethereum/Base, BNB, Solana)

A) Ethereum / Base (EVM)

  1. Get the contract from the official site/X and confirm on Etherscan or Basescan. Ensure “Contract Source Code Verified.”
  2. Proxy? If “Is this a proxy?” = yes, click through to Proxy Admin. If a single EOA controls it with no timelock, high risk.
  3. Read code tabs: find _transfer, _mint, owner functions, tax setters, blacklist. Search for “onlyOwner”, “setTrading”, “setTax”.
  4. Events: check recent Mint/Transfer events after launch suspicious top-ups?
  5. Holders: open top holders; label LP; see if deployer controls several “random” wallets. Inspect funding paths.
  6. Liquidity: open the primary pair on DEX analytics. Confirm LP lock/burn, pool age, and whether liquidity is being slowly siphoned.
  7. Simulate a sell with a tiny amount via Tenderly/Phalcon or a test trade for a few dollars (prepared to lose it). Watch for reverts or 100% tax.

B) BNB Chain (BSC)

  • Same EVM playbook, but be stricter: BSC has many copy-paste scams. Require LP locks and clean _transfer logic.
  • Watch out for “marketing wallets” dumping into every pump.

C) Solana

  1. Identify the mint address. Use Solscan or official explorers to view metadata, creators, and freeze authority.
  2. Freeze/Mint authority: Is the mint authority revoked? Is there a freeze authority that can freeze token accounts?
  3. Market: open on Jupiter/DexScreener and inspect LP. Some Solana rugs use program-controlled markets; verify the AMM and pool ownership.
  4. Creators/Deployers: link to their other projects. Look for recycled treasuries or prior rugs.
  5. Simulate swap on a tiny amount; confirm you can sell back.

7) Safe ops: approvals, wallets & simulations

  • Use a “hot” throwaway wallet for new tokens. Keep your vaults on a separate hardware wallet with no approvals to random dapps.
  • Simulate before you trade. Many wallets/explorers simulate swaps and show if a transfer will revert or tax excessively.
  • Grant least approvals (avoid unlimited). Regularly revoke stale allowances with tools (see resources).
  • Record official links as bookmarks. Never click on sponsored search results when dealing with explorers or wallets.

8) Scam catalog: patterns, fingerprints, defenses

Honeypot
Fingerprint: Buys OK, sells revert or tax = ~100%.
Defense: Simulate sells; read _transfer; test tiny trade.
Liquidity Rug
Fingerprint: LP controlled by deployer; no locks; sudden remove.
Defense: Require LP burn/lock; monitor pool age/changes.
Proxy Upgrade Rug
Fingerprint: “Renounced” token but upgradeable proxy remains.
Defense: Inspect proxy admin; require timelock/multisig.
Mint/Burn Abuse
Fingerprint: Owner can mint after launch; “burns” to owner wallet.
Defense: Verify roles; confirm real zero-address burns.
Blacklist/Whitelist Trap
Fingerprint: Owner flips lists to block sells.
Defense: Search code for list management; avoid if present.
Fake Listing/Audit
Fingerprint: Images only, no URL on issuer’s domain.
Defense: Verify on exchange/auditor websites.
Airdrop Drainer
Fingerprint: Random token appears; claim site requests permit/signature to drain assets.
Defense: Ignore; never connect wallet; revoke suspicious approvals.
Team/Whale Dump
Fingerprint: Team wallets unloading into every pump.
Defense: Track team wallets; look for vesting/time-locks.

9) Decision frameworks, checklists & a one-page scorecard

Due-diligence scorecard (0–5 each)

Dimension Questions Score (0–5)
Contract Security Verified code? No honeypot logic? No hidden mint/blacklist? Proxy admin time-locked?
Liquidity Safety LP locked/burned? Pool age & history stable? No rapid siphoning?
Holder Distribution No whale concentration? Team wallets vested? Deployer not dominant?
Governance/Team Transparent team or credible anon? Track record? Real roadmap?
External Signals Verified audits & listings (on issuer domains)? Organic community?

Rule of thumb: Under 18/25 = probably skip. Under 15/25 = only with throwaway money and explicit stop-losses.

One-minute checklist

  • Correct contract? Verified source?
  • Any proxy/upgrade admin? Any owner-only mints/blacklists/toggles?
  • LP locked/burned? Pool older than 24–72h?
  • Top holders distribution reasonable? No deployer-controlled cluster?
  • Claims verified on exchanges/auditors’ domains?

10) FAQ

Is an audit a green light?
No. Audits reduce some risks, not all. Many rugs were “audited.” Treat audits as one input among many.
What about KYC?
Team KYC can help, but enforcement is weak across borders. KYC plus on-chain safety (locks, roles, timelocks) is better than KYC alone.
Are taxes always scams?
Not always, but high or mutable taxes are abusable. If fees >10% or can be changed quickly, it’s largely a speculation trap.
How small should the test trade be?
Only what you’re prepared to lose entirely, plus gas. The goal is to confirm basic sellability, not to “get in early.”
Can valid projects still have risky settings?
Yes (e.g., upgradeable proxies for rapid iteration). But legitimate teams typically pair this with timelocks, multisigs, clear docs, and public commitments.

11) External resources & official docs

Recap

  • The contract and the liquidity tell you almost everything. Verify the right contract, then try to break your bullish case with real evidence.
  • Expect traps: honeypots, proxy upgrades, blacklists, hidden mints, and unlockable LPs.
  • Simulate, test tiny, revoke approvals, and maintain separate wallets. Treat audits and KYC as adjuncts, not guarantees.

Quick check

  1. Name two functions in ERC-20 style tokens that scammers often abuse to block sells.
  2. How do you verify that “renounced” doesn’t hide a proxy admin?
  3. What proves a real exchange listing?
  4. Why is LP locking/burning important? Where do you verify it?
  5. What’s the safest way to test if a token is a honeypot?
Show answers
  • _transfer with blacklist/whitelist checks; owner-set sell tax to 100%; setTradingEnabled toggles.
  • Open “Is this a proxy?” on the explorer, follow to Proxy Admin, and inspect admin permissions/timelocks.
  • An announcement on the exchange’s official newsroom/X, not just the token’s account.
  • Without LP locks/burn, deployer can remove liquidity, crashing price. Verify on the pair contract and locker contract on-chain.
  • Simulate a small sell via Tenderly/Phalcon or do a tiny real trade you can afford to lose.