Ethereum’s openness is the reason scams are so common, and also the reason they are detectable. Every contract is on-chain. Every deployer’s history is public. Every liquidity pool is auditable. Most rug pulls and honeypots leave fingerprints minutes or hours before they hit retail. You just need to know where to look.
Below are seven checks. Run them on any token before sending ETH. Three or more red flags = walk away.
What is a honeypot in crypto?
A honeypot is a smart contract that lets you buy a token but blocks you from selling. It works by overriding the ERC-20 transfer function, applying a 100% sell tax, or maintaining a hidden blacklist. Buy transactions confirm normally, so the contract looks healthy on Etherscan. Sells revert with a generic error. The deployer drains liquidity once enough victims are stuck.
The detection method is a sell-side simulation: a tool like Honeypot.is or our own scanner sends a synthetic sell through the actual DEX router. If the buy succeeds and the sell reverts, that is the textbook honeypot signature.
How do I check if a contract is verified on Etherscan?
Open etherscan.io, paste the contract address, and look for the green checkmark next to “Contract” in the top tab bar. A verified contract shows readable Solidity source. Unverified contracts only expose bytecode, which makes inspection much harder. Verification is necessary but not sufficient: a verified contract can still be a scam, but unverified ones are a serious red flag for any new launch.
For unverified tokens, the next step is bytecode analysis. Specific function selectors (setBlacklist, setMaxTx, mint with no cap) leak through the EVM even without source. Static analyzers can read the bytecode and surface the obvious traps.
What are the warning signs of a rug pull?
The strongest signals are: deployer wallet less than 24 hours old, no liquidity lock or LP locked for under 30 days, owner not renounced with mint or tax-update functions still callable, top 10 holders owning over 50 percent of supply, and the deployer having shipped similar contracts that already rugged. Three or more of these on a single token means the rug is the base case, not the exception.
The deployer’s history is the most predictive signal. A wallet that shipped 14 brand-jacked tokens in the last 90 days, all rugged within three days of launch, is almost certainly going to do it again.
How do I verify the LP is locked?
Find the pair address on dexscreener or dextools, then check the LP token holders on Etherscan. If the largest holder is a known lock contract (Unicrypt, Team Finance, PinkLock) the LP is locked. Click the lock contract and confirm the unlock date covers a meaningful period. If the LP token sits in the deployer wallet or a fresh EOA, there is no lock and the dev can pull liquidity at any time.
A “burnt” LP (sent to address 0x0…dead) is even safer than a lock: nobody can ever pull it. But a burnt LP also means the project can never re-balance or migrate. For meme tokens, burning is fine. For projects that promise future tokenomics changes, it is a contradiction.
Can a contract owner block selling?
Yes. Common patterns include a setSellTax function the owner can flip to 99 percent, a blacklist mapping that prevents specific addresses from transferring, a pause modifier on the transfer function, and a tradingEnabled boolean that is never set to true. Read the contract source on Etherscan and search for these names. If the function exists and the owner is not the zero address (renounced), the owner can block your exit.
Renounced ownership is not a guarantee either. Some projects use a two-tier admin pattern: ownership is renounced to a dummy address while a separate “tax wallet” or “marketing multisig” still has full control. Always trace where the privileged functions actually point.
What is a brand-jacked token?
A brand-jacked token deploys with the symbol of a famous project (USDT, PEPE, XRP, TRUMP) but is unrelated to the official one. The goal is to ride the search volume and confuse buyers using DEX search. Most fake USDT contracts on Ethereum are honeypots. The fix is simple: never trust the ticker, always check the contract address against the official project’s documentation or a trusted aggregator like CoinGecko.
On RektRadar, every popular ticker has its own hub page listing every contract that has used that ticker, sorted by risk score. For example: $PEPE scam reports, $USDT scam reports, $TRUMP scam reports. The brand-jacking volume is consistently several dozen flagged contracts per ticker, every quarter.
How long does it take to detect a scam token?
On RektRadar, a full scan completes in 8 to 25 seconds: source verification, bytecode pattern matching, honeypot simulation against three DEX pools, deployer history lookup, and graph clustering against known scam wallets. Most scam tokens get flagged at the first analysis, often before they have any organic buyers. Pre-launch detection (mempool monitoring) typically catches the rug 30 to 90 seconds before the first liquidity-add transaction confirms.
The latency matters because retail buys peak in the first 5 to 15 minutes of a launch. A scanner that gives you a verdict in 10 seconds is the difference between catching a rug pre-buy and reading the post-mortem.
Putting it together
The seven checks above cover the dominant scam categories on Ethereum: honeypots, rug pulls via LP withdrawal, owner-controlled sell blocks, brand-jacked confusion plays, and deployer-cluster repeat offenders. None of them require dev skills. They are pattern recognition.
If you want the whole pipeline automated, paste any contract into app.rektradar.io: it runs all of these in parallel, scores the result 0-100, and surfaces the specific flags that triggered. Free for the first scans, and the report is permanent and shareable.
Stay safe out there. Most rugs are obvious five seconds before retail buys. The point of detection tooling is just to compress those five seconds into something you can actually consult before clicking confirm.