Proxy-Based Honeypots: Upgradeable Contract Traps (Complete Guide)
Proxy-Based Honeypots are one of the cleanest “looks safe today, becomes a trap tomorrow” patterns in crypto. They exploit how upgradeable contracts separate the address you interact with (the proxy) from the logic that actually runs (the implementation). In this guide you will learn how proxy honeypots hide sell restrictions, stealth taxes, blacklists, and liquidity traps behind upgrade logic, how to detect the most common signals before you touch a token, and how to use a safety-first workflow that reduces your exposure without killing your ability to trade.
TL;DR
- Proxy honeypots weaponize upgrades: the proxy address stays constant while the implementation can change, letting a token look harmless at launch and turn hostile later.
- Two things to verify every time: who can upgrade, and what the proxy points to right now (plus what it could point to later).
- Red flags are practical: upgrade admin is an EOA, upgrade is not timelocked, implementation is unverified, ownership is hidden, or logic includes blacklist and dynamic tax controls.
- Never rely on “it sold once”: many traps allow a few sells early to build trust, then flip restrictions after liquidity grows.
- Fast workflow: verify proxy type, read the upgrade controls, inspect transfer logic, check taxes and blacklists, then decide position size based on uncertainty.
- Use foundation material: learn mechanics in Blockchain Technology Guides and deepen in Blockchain Advance Guides.
- Run a risk scan before interacting with unknown tokens using Token Safety Checker.
- Prerequisite reading: if you have not read Wallet Drainers, do it. The same “adversarial workflow” mindset applies, even though proxy honeypots are contract-layer traps and drainers are permission-layer theft workflows.
Start with Wallet Drainers. Proxy honeypots are not “seed phrase theft”, but the discipline is identical: assume the counterparty can be hostile, treat prompts and permissions as risk, and build a repeatable process that catches traps before they become losses.
Why proxy honeypots work so well
Most retail losses do not come from advanced cryptography. They come from mismatched assumptions. Traders assume a token contract is static. Attackers know it can be mutable. Traders assume the verified code they read is the code that executes. Attackers use a proxy so the “front address” stays constant while the “real logic” can be swapped. Traders assume that if a token sells today, it will sell tomorrow. Attackers build logic that can flip states after liquidity or hype reaches a target threshold.
Upgradeable contracts exist for legitimate reasons. Teams want to patch bugs or add features without migrating users. But upgradeability also creates a perfect hiding place for honeypots because the attack surface expands in time: you are no longer analyzing a single contract, you are analyzing a system consisting of proxy, implementation, admin controls, and upgrade governance.
A simple mental model: proxy as a dispatcher
In a standard token contract, the address you interact with contains the logic for transfer, approve, swap integration hooks, and any custom rules. In a proxy setup, the address you interact with is often a small contract that does one job: forward calls to another address (the implementation) using a low-level delegatecall.
Delegatecall is not just “call another contract”. It runs the implementation code in the storage context of the proxy. That means balances, allowances, owner variables, and configuration flags live at the proxy address, while the code can be changed by switching the implementation pointer.
If you are not comfortable with that concept, pause and review fundamentals in Blockchain Technology Guides. Understanding storage, delegatecall, and access control is the difference between guessing and knowing.
The proxy patterns you will see in the wild
“Proxy-based honeypot” is a category. The exact implementation differs by standard and tooling. The good news: you do not need to memorize every variant. You only need to identify the proxy type and then locate the upgrade controls and current implementation.
Transparent proxy pattern
Transparent proxies are commonly used with OpenZeppelin-style setups. The proxy holds the state. The implementation holds the logic. An admin address can upgrade, and admin calls are treated differently than user calls. For token safety, the upgrade admin is the key detail: if it is a single wallet and not protected, then the token has a “one-person switch”.
UUPS (Universal Upgradeable Proxy Standard)
In UUPS, the upgrade function lives in the implementation itself. The proxy is slimmer. This matters because the implementation code can define who is allowed to upgrade and how. If you only look at the proxy, you may miss upgrade logic hidden in the implementation.
Beacon proxies
Beacon proxies point to a beacon contract, and the beacon points to the implementation. Teams use this to upgrade many proxies at once (for example, many token instances). Attackers love it because one beacon upgrade can flip many contracts from safe to hostile.
Minimal proxies and clones
Clones are a different kind of “proxy”, often used for cheap deployments. They can still be dangerous when the “template” logic is upgradeable elsewhere or when initialization and ownership are manipulated. If you see a token deployed as a clone of an unverified template, treat it as unknown until you verify the template’s logic and upgrade controls.
What makes a proxy honeypot a honeypot
A honeypot is not just “cannot sell”. It is any design that lures you into buying or holding and then prevents an exit or extracts value through hostile rules. Proxy honeypots typically use upgrades to shift from “normal token” behavior to one of these trap modes:
Trap mode 1: sell blocking after liquidity grows
The token launches with permissive transfer rules. Early buyers can sell. This creates proof. Then, after liquidity hits a target, an upgrade switches the logic to block sells to the pool, or to block transfers for non-whitelisted wallets. The token still trades for insiders who are whitelisted, which makes the chart look active while retail is stuck.
Trap mode 2: dynamic taxes that become confiscation
Many tokens implement transfer taxes. That is not automatically a scam. The honeypot move is allowing the owner to set taxes to extreme levels, especially sell taxes, after people have bought. A token can look reasonable at 2 to 5 percent tax, and then get upgraded to 50 percent or 99 percent tax. The result feels like “I can sell but I get nothing,” which is functionally the same as a sell block.
Trap mode 3: blacklist or cooldown rules activated after launch
A blacklist feature lets the controller block certain wallets. A cooldown feature can prevent frequent transfers and can be tuned to freeze holders. Both can be used legitimately in regulated contexts, but in meme-token environments they are often trap levers. The key risk is not the existence of the feature, it is who controls it and whether it can be abused without transparency.
Trap mode 4: liquidity and router traps
Some honeypots are not strictly token-transfer restrictions. Instead, they manipulate liquidity operations:
- blocking sells to specific routers while allowing sells to a private router
- changing fee-on-transfer behavior in a way that breaks common swap paths
- whitelisting a few addresses to sell and using them to drain liquidity while others fail
- upgrading to logic that detects AMM pairs and behaves differently when the destination is a pool
A verified proxy contract does not mean the token logic is safe. The proxy can be clean and verified while the implementation is unverified or changeable. Your job is to identify what code executes and who can change it.
Red flags and what they actually mean
Most “honeypot detection” checklists online are either too vague or too technical. This section is designed to be practical: each red flag tells you what risk it represents and how to respond.
| Red flag | What it really means | Why it matters | Safer response |
|---|---|---|---|
| Upgradeable proxy + upgrade admin is a single wallet | One actor can flip rules instantly | You are trusting a person, not a system | Reduce position size or avoid |
| No timelock for upgrades | No warning window for holders | Traps can be activated without notice | Prefer timelocked governance |
| Implementation is unverified or changes frequently | Logic is opaque or unstable | You cannot audit what you are buying | Avoid or treat as high risk |
| Owner can change taxes / fees freely | Transfer economics are arbitrary | Taxes can become confiscation | Look for caps and constraints |
| Blacklist / whitelist features | Controller can freeze wallets | Retail can be selectively trapped | Only acceptable with strong governance |
| Different behavior when interacting with AMM pair | Special-case sell logic | Classic honeypot technique | Inspect transfer() branch conditions |
| Upgrade functions callable by multiple hidden roles | Backdoor governance | “Owner renounced” can be fake | Map roles, not just owner() |
| Proxy admin contract is a custom contract | Unknown rules for upgrades | Admin could have stealth conditions | Demand verified admin and clear controls |
The safety-first workflow (fast path and deep path)
The best workflow is one you will actually use under time pressure. So this guide gives you two: a fast path that catches most obvious proxy honeypots, and a deep path that you can apply when position size justifies the effort.
Fast path: 3-minute triage
Fast path checklist (3 minutes)
- Confirm it is a proxy: if the contract looks tiny or uses fallback delegation patterns, assume proxy until verified.
- Find the current implementation: locate the implementation address using explorer proxy indicators or storage slot checks.
- Check who can upgrade: identify the admin or upgrade authority and whether it is a multisig or single wallet.
- Check for obvious trap levers: taxes, blacklist, whitelist, transfer gating, AMM pair detection.
- Decide based on uncertainty: if key parts are unverified or changeable without notice, treat as high risk or skip.
Deep path: 30-minute verification
Deep path checklist (30 minutes)
- Identify proxy type (transparent, UUPS, beacon, clone) and confirm how upgrades occur.
- Verify implementation code (or accept that you are buying an opaque contract).
- Map all privileged roles: owner, admin, role-based access control, fee setters, blacklist managers.
- Inspect transfer logic branches, especially branches triggered when sender or recipient is an AMM pair.
- Look for “onlySellToWhitelist” style constraints or dynamic fee rules.
- Check upgrade safety: timelock, multisig, upgrade events, governance constraints.
- Run a risk scan before touching the token using Token Safety Checker.
Step-by-step: detecting proxy honeypots the right way
This section turns the workflow into concrete steps that match how proxies are built. The objective is not to become a smart contract auditor. The objective is to answer a handful of questions that separate “upgradeable but constrained” from “upgradeable and exploitable”.
Step 1: Confirm whether the token address is a proxy
Many explorers will label a proxy automatically. But never treat labels as perfect. You can confirm proxy behavior by checking if the contract code is very small and mostly fallback logic, or by checking whether calls to expected ERC-20 functions route through fallback.
If you want a mechanical check, you can compare bytecode size and look for delegatecall patterns. In practice, the simplest signal is: if the explorer shows a proxy tab or implementation link, treat it as proxy.
Step 2: Find the current implementation address
This is the hinge point. You must know what code executes right now. For many common proxies, the implementation address is stored in a known storage slot, such as EIP-1967. If you can read that slot, you can retrieve the implementation address even if the UI hides it.
In many proxy designs, “where is the logic?” is answered by reading a specific storage slot. That means you can verify the current implementation independently of marketing, chat hype, or even explorer UI.
Step 3: Identify the upgrade authority and its guardrails
Once you know the proxy type and implementation, you need to know who can upgrade. There are only a few possibilities:
- Single EOA: fastest and most dangerous. It can upgrade instantly, with no on-chain checks beyond that key.
- Multisig: better, but still depends on signer quality and operational security.
- Timelock + governance: best for transparency if configured well, because upgrades are announced by the timelock and can be monitored.
- Hidden admin logic: the worst case. If you cannot clearly identify upgrade authority, treat the system as hostile.
The safe question is: if the team wanted to trap retail tomorrow, could they? If the answer is yes and there is no warning window, the risk is not theoretical.
Step 4: Inspect transfer logic for trap levers
You do not need to read every line. You need to locate the sections that control:
- who can transfer
- who can sell to AMM pairs
- what fees apply and who can change them
- blacklists, whitelists, cooldowns, anti-bot gating
- special cases for router addresses or pair addresses
Many honeypots use a simple structure: detect when recipient is a pair address, then apply restrictions or taxes. If you see conditions like “if (to == pair)” or “if (isAMMPair[to])” or a mapping that marks pairs, pay attention.
Step 5: Decide how to monitor upgrades if you still participate
Sometimes you will still trade high-risk tokens. The difference between survival and repeated losses is monitoring. If a token is upgradeable, you should assume the implementation can change and you should decide how you will notice quickly.
A practical approach is to record the current implementation address at the time you buy. Then periodically check whether it changed. If it changed and you cannot justify why, treat that as a risk event.
Code examples that help you verify, not speculate
Code is only useful if it reduces uncertainty. The following snippets are not trading bots. They are verification tools. If you do not code, you can still understand the intent: read implementation slots, detect upgrades, and highlight privileged functions.
Example: read EIP-1967 implementation slot using ethers.js
Many proxies store the implementation address at the EIP-1967 slot: bytes32(uint256(keccak256("eip1967.proxy.implementation")) - 1). The script below reads that slot and prints the implementation.
// Minimal ethers.js script to read EIP-1967 implementation slot
// Usage: node read-impl.js <RPC_URL> <PROXY_ADDRESS>
import { ethers } from "ethers";
const [,, rpcUrl, proxyAddr] = process.argv;
if (!rpcUrl || !proxyAddr) {
console.error("Usage: node read-impl.js <RPC_URL> <PROXY_ADDRESS>");
process.exit(1);
}
const provider = new ethers.JsonRpcProvider(rpcUrl);
// EIP-1967 implementation slot:
// bytes32(uint256(keccak256('eip1967.proxy.implementation')) - 1)
const SLOT = "0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc";
const storage = await provider.getStorage(proxyAddr, SLOT);
// storage is 32 bytes; implementation address is last 20 bytes
const impl = ethers.getAddress("0x" + storage.slice(26));
console.log("Proxy:", proxyAddr);
console.log("Implementation:", impl);If this script returns a valid address, you now have a ground truth “current logic” pointer. You can compare it over time to detect upgrades.
Example: read EIP-1967 admin slot (transparent proxy)
Many transparent proxies store admin at the EIP-1967 admin slot: bytes32(uint256(keccak256("eip1967.proxy.admin")) - 1). If the admin is an EOA, the upgrade switch is extremely centralized.
// Usage: node read-admin.js <RPC_URL> <PROXY_ADDRESS>
import { ethers } from "ethers";
const [,, rpcUrl, proxyAddr] = process.argv;
if (!rpcUrl || !proxyAddr) {
console.error("Usage: node read-admin.js <RPC_URL> <PROXY_ADDRESS>");
process.exit(1);
}
const provider = new ethers.JsonRpcProvider(rpcUrl);
// EIP-1967 admin slot
const ADMIN_SLOT = "0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103";
const storage = await provider.getStorage(proxyAddr, ADMIN_SLOT);
const admin = ethers.getAddress("0x" + storage.slice(26));
console.log("Proxy:", proxyAddr);
console.log("Admin:", admin);This does not tell you if the admin is safe. It tells you who holds the power. Then you can ask: is this a multisig? is it a timelock? is it a contract with constraints? or is it just a single key?
Example: the kind of transfer trap upgrades can introduce
The snippet below is simplified and intentionally incomplete. It illustrates the shape of many honeypot upgrades: special-case AMM pair destinations, add dynamic fees, and add whitelist logic. In real attacks, the code is often obscured through naming or splitting logic across functions.
// PSEUDO-CODE style snippet (simplified for learning)
// Idea: on upgrade, transfer() gains a sell restriction + dynamic tax
mapping(address => bool) public isPair;
mapping(address => bool) public canSell;
uint256 public sellTaxBps; // basis points
address public feeCollector;
function _transfer(address from, address to, uint256 amount) internal {
// If selling into an AMM pair, apply special rules
if (isPair[to]) {
require(canSell[from], "Sell blocked");
uint256 fee = (amount * sellTaxBps) / 10000;
// Confiscation if sellTaxBps set high
super._transfer(from, feeCollector, fee);
super._transfer(from, to, amount - fee);
return;
}
// Normal transfer path
super._transfer(from, to, amount);
}
function setSellTaxBps(uint256 bps) external onlyOwner {
sellTaxBps = bps; // if no cap, can become 99%
}
function setCanSell(address who, bool ok) external onlyOwner {
canSell[who] = ok; // whitelist sells
}
function setPair(address pair, bool ok) external onlyOwner {
isPair[pair] = ok; // marks pools or routers
}The threat is not that a token has fees. The threat is that fees and permissions can be changed after you buy. This is why upgrade control and constraint design matter more than “current fee percent”.
A timeline view: how upgrades enable post-launch traps
Proxy honeypots are usually staged. They are not random. The attacker wants liquidity and trust first. This chart is not real market data. It is a conceptual timeline that helps you recognize the playbook.
Where Token Safety Checker fits in this workflow
A proxy honeypot is not just a “contract risk”. It is a trading risk. The goal of a scan is to catch obvious centralized controls and hostile patterns early so you do not donate liquidity to a trap.
Before you interact with an unknown token, run a quick scan: Token Safety Checker. Use the scan output as a decision support tool, not as a guarantee. The strongest behavior is still your workflow: verify upgrade authority, verify implementation, and treat unverified changeable logic as high uncertainty.
Position sizing as a security tool
Most guides separate “security” and “trading”. That separation is why people get wrecked. Position sizing is a security tool because it reduces the cost of being wrong.
If a token is upgradeable and you cannot confirm strong guardrails, your options are:
- avoid entirely
- use a burner wallet and a small position size that you can afford to lose
- only participate if you can monitor upgrades and exit quickly
This is not about being fearful. It is about aligning size with certainty.
Hardware wallet note: what it helps with, what it does not
Hardware wallets help protect keys from device compromise and reduce the chance you sign something without noticing. They do not magically prevent you from buying a honeypot, because a honeypot is a rule in the token logic. If the token logic blocks sells, a hardware wallet cannot override that.
Still, a hardware wallet is valuable because proxy honeypots often travel with other threats: fake sites, fake contracts, signature spam. If you hold meaningful value, consider using a hardware wallet for your cold storage. For example, Ledger or OneKey. Your core safety gain comes from keeping long-term funds away from risky dApp sessions.
Common myths that proxy honeypots exploit
Myth: “The contract is verified so it is safe”
Verification often covers the proxy but not the implementation, or it covers an old implementation. Even when implementation is verified today, it can change tomorrow if upgrades are centralized. Verification is a snapshot. Proxy risk is a timeline.
Myth: “I tested selling and it worked”
Many traps allow sells early. Some allow sells only for whitelisted wallets. Some allow small sells but block larger ones. Some activate restrictions only when liquidity or holder count crosses a threshold. “Sold once” proves nothing unless you also verify upgrade controls and transfer logic constraints.
Myth: “Ownership is renounced, so no one can change anything”
Ownership renounce can be meaningless if upgrade authority is held elsewhere. You can renounce “owner” in the token logic while still controlling upgrades via proxy admin. The correct question is not “is owner renounced”. It is “does anyone still have control levers”.
Step-by-step checks you can apply every time
The checklist below is designed for repeatability. Print it or save it. The value is not in reading it once. The value is in running it each time you are tempted to buy a token quickly.
Proxy honeypot checklist
- Proxy identified: confirm whether the token address is a proxy, and note proxy type if possible.
- Implementation recorded: capture the current implementation address and whether it is verified.
- Upgrade authority mapped: identify who can upgrade and whether upgrades are timelocked or multisig-controlled.
- Role map: list roles that can change tax, blacklist, whitelist, pair settings, or fee collector.
- Transfer path inspected: check if behavior changes when sending to AMM pairs or routers.
- Limits exist: verify there are caps on fees and meaningful constraints on owner actions.
- Exit plan: if uncertainty remains, reduce size, use burner wallet, and define what signal triggers exit.
Realistic scenarios: how proxy honeypots catch people
Scenario 1: clean launch, then “maintenance upgrade”
The token launches with normal behavior. Social proof builds. Liquidity grows. Then the team announces a “maintenance upgrade” for minor fixes. After the upgrade, sells begin to fail or taxes spike. In many cases the chart still moves because insiders can sell through a whitelisted path. Retail blames slippage or MEV. In reality, the logic changed.
Scenario 2: router-specific sell blocks
A token might allow sells through a specific router or path while blocking popular routers. This creates confusion because some wallets can sell and others cannot, depending on route selection. It also creates a channel for insiders to exit while retail fails. Proxy upgrades make this easy to introduce after launch.
Scenario 3: blacklist wave after whales buy
A token uses “anti-bot” marketing to justify blacklist features. Later, after whales and retail have accumulated, the controller blacklists a set of addresses that try to sell. The token still trades, but the punished wallets cannot exit. This is not always automated. Sometimes it is manual, selective, and targeted.
If you already bought: how to reduce damage
Sometimes you will buy before you fully verify. When that happens, your next actions matter. Proxy honeypots are dynamic. You should treat the situation as time-sensitive.
- Do not add more: avoid doubling down before you understand upgrade controls.
- Record current implementation: capture implementation address now so you can detect changes later.
- Test exits carefully: small sells can reveal if tax is confiscatory or if sells are selectively blocked.
- Reduce approval exposure: avoid granting unlimited approvals to unknown routers for a token you do not trust.
- Move valuable assets out: keep the risky token in a burner wallet, not in the same wallet as meaningful holdings.
How this connects to wallet drainers
Proxy honeypots and wallet drainers are different categories, but they often show up together in the same ecosystem. The same communities that push trap tokens also push fake claim sites, fake “support”, and signature prompts. That is why the prerequisite reading matters: Wallet Drainers.
If you are stuck in a honeypot, you become emotionally vulnerable. That is exactly when drainers strike with “recovery services” and “unlock tools”. The rule is simple: if someone offers to help you unlock a token and asks for your seed phrase or private key, you are about to be drained twice.
A practical stack that fits real life
You do not need a complex setup to reduce proxy honeypot risk. You need consistent habits. Here is a simple, sustainable stack:
- Learning: keep improving fundamentals via Blockchain Technology Guides and Blockchain Advance Guides.
- Scanning: run token checks before interacting using Token Safety Checker.
- Wallet hygiene: segment wallets into cold, hot, and burner.
- Governance awareness: treat upgrade authority as the true “owner” of an upgradeable token.
- Monitoring habit: record and periodically re-check implementation addresses for upgradeable tokens you hold.
Stop proxy honeypots before they trap you
The highest payoff skill here is not “reading all code”. It is verifying upgrade authority and spotting trap levers in transfer logic. Run a quick scan, confirm the implementation, and size your risk based on what you cannot verify.
Closing: the rule proxy honeypots teach
Proxy honeypots teach one rule: never analyze an upgradeable token as if it is static. Your safety depends on knowing what code runs today and who can change it tomorrow. If upgrades are centralized, unguarded, or opaque, you are not trading a token. You are trading someone’s promise.
Keep your process simple: identify proxy type, record implementation, map upgrade authority, scan for trap levers, and size your exposure to uncertainty. And revisit the prerequisite reading whenever you feel yourself rushing: Wallet Drainers. The same disciplined mindset will save you across many threats, not just honeypots.
FAQs
What are proxy-based honeypots?
Proxy-based honeypots are token traps that use an upgradeable proxy architecture. The proxy address stays the same, but the implementation logic can be changed. Attackers use upgrades to turn a token from normal behavior into sell blocks, confiscatory taxes, blacklist traps, or router-specific restrictions after liquidity and trust grow.
Is every upgradeable token a scam?
No. Upgradeability can be legitimate. The risk comes from how upgrades are controlled. A well-designed system uses multisig governance, timelocks, and transparent upgrade processes. A risky system uses a single wallet admin, no timelock, unverified implementations, or hidden roles that can change rules without warning.
Why does “I tested selling and it worked” not prove safety?
Because proxy honeypots can change behavior over time. Many allow sells early to build trust, then activate restrictions after an upgrade or after liquidity crosses a threshold. Some allow sells only for whitelisted wallets, which can make charts look active while retail is trapped.
What is the single most important thing to check?
Upgrade authority. If one actor can upgrade instantly without a timelock, that actor can introduce trap logic later. After that, check the transfer logic for taxes, whitelist controls, blacklist features, and special-case behavior when interacting with AMM pairs.
How do I reduce risk if I still want to trade high-risk tokens?
Use a burner wallet, keep position size small relative to uncertainty, avoid unlimited approvals, record the implementation address at buy time, monitor for upgrades, and separate meaningful assets into cold storage. Combine that with quick scans and a repeatable checklist.
How does this relate to wallet drainers?
Proxy honeypots are contract traps, while wallet drainers are theft workflows that exploit keys, signatures, and permissions. They often appear in the same ecosystems. Getting stuck in a honeypot makes people vulnerable to fake “recovery services” that ask for seed phrases. Reading the wallet drainers guide helps you avoid being tricked twice.
Does a hardware wallet protect me from a honeypot?
A hardware wallet protects your keys and improves signing hygiene, but it cannot override hostile token logic. If a token blocks sells or imposes extreme taxes, a hardware wallet cannot fix that. It is still a strong layer for protecting long-term holdings from risky browsing and dApp sessions.
What should I do if I suspect a token upgraded into a trap?
Stop adding funds, record the current implementation address, test exits cautiously with small amounts, reduce approvals, and consider exiting if possible. If you cannot exit, be extremely skeptical of anyone offering “unlock tools”, especially if they ask for your seed phrase or private key.
References
Official standards and reputable docs for deeper learning:
- EIP-1967: Proxy storage slots
- EIP-1822: UUPS proxy standard
- OpenZeppelin Contracts documentation
- OpenZeppelin Upgrades plugins documentation
- TokenToolHub Blockchain Technology Guides
- TokenToolHub Blockchain Advance Guides
- TokenToolHub: Wallet Drainers
Reminder: upgradeable tokens require upgrade-aware thinking. If you only check once, you are vulnerable to “safe at launch, hostile later” traps. Keep a repeatable checklist, record implementation addresses, and revisit Wallet Drainers whenever urgency or hype tries to break your discipline.
