How long does it take to check if a token is safe?

Manual checks take 10 minutes if you know what you're looking for: 2 minutes on Etherscan for contract verification and deployer history, 1 minute for liquidity depth, 2 minutes for the holder distribution, 1 minute for a honeypot simulation, 4 minutes to read the source code if verified. A scanner like RektRadar runs all of this automatically in 10 seconds.

Can I trust a token if it has a verified contract on Etherscan?

Verified means the source code is published and readable, not that the code is safe. Many of the most sophisticated scam contracts are verified - the deployers want to look professional. Verification only helps if you actually read the source or run it through a scanner that does. Unverified contracts are a stronger negative signal than verified-but-unreviewed ones.

What is the most important on-chain signal for token safety?

The honeypot simulation. It's the only signal with 100% precision: if a simulated sell on a forked mainnet reverts on a contract where the buy succeeded, the contract has been engineered as a honeypot - there is no other explanation. Every other signal (deployer history, liquidity, distribution) is probabilistic and can produce false positives.

Should I check the token's website and social media?

Marginally. A polished website with a real team and active Discord is a positive signal but trivial to fake - a $200 Fiverr commission produces all three. The on-chain signals (deployer history, liquidity setup, contract bytecode) cost real ETH to produce and are much harder to fake. Use socials as a tie-breaker, not a primary signal.

What's the difference between a rug pull and a honeypot?

A honeypot prevents you from selling at the contract level - the sell function reverts, so you can buy in but never exit. A rug pull lets you trade normally, then the deployer removes the liquidity pool, leaving you with tokens that have no market. Honeypots are caught by simulation; rugs are caught by LP ownership analysis and deployer reputation.

How to Check Token Safety

Seven concrete steps to verify an Ethereum ERC-20 token before you buy. Each step uses tools that are free and public - Etherscan, DEX Screener, RektRadar. Total time: 10 minutes for the manual flow, 10 seconds with an automated scanner.

→ Run the full check automatically

Free, no signup. Paste a contract address, get the 0-100 risk score in 10 seconds.

The seven steps

1. Find the contract address - not the ticker

Two tokens can share a ticker. Three hundred fake $USDC contracts exist on Ethereum mainnet - only one is the real Circle USDC at 0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48. Always pull the address from a primary source: the project's verified Twitter, their official docs, or DEX Screener's verified tag. Never trust a Telegram message or a Google ads link.

Watch out: If a project's Twitter is less than 30 days old AND the only place you can find the contract is a Telegram channel, walk away.
2. Verify the contract on Etherscan

Open etherscan.io/address/<contract>. Click the 'Contract' tab. If it says 'Contract Source Code Verified', the project published the Solidity code and you (or any tool) can read what the contract actually does. If it shows 'Contract Source Code Not Verified', you only have raw bytecode - about 30% of scams hide here because they don't want their backdoors readable. Unverified ≠ scam, but it raises the bar.

Watch out: Even verified contracts can be malicious. Verified means readable, not safe. Read the source, or run it through a scanner.
3. Run a honeypot simulator

A honeypot is a contract that lets you buy but blocks you from selling. The sell function reverts on a hidden condition: a blacklist check, a gas price branch, a one-sell-per-block limit. The only way to catch this is to actually try a sell on a forked mainnet. honeypot.is and RektRadar both run this simulation. A single failed-sell signal in a clean simulation is 100% precision in our 36 263-scam dataset - there is no false positive.

Watch out: Some honeypots are conditional: they fail only on the second sell, or when gas is below 30 gwei. The good scanners run multiple simulations with varied parameters.
4. Inspect the deployer wallet

On Etherscan, click 'Contract Creator' on the address page. You'll land on the deployer's wallet. Three red flags compound: (a) wallet less than 24h old, (b) funded by a single small CEX withdrawal, (c) only deployed contracts - no other on-chain activity. This is the textbook scam factory pattern. Look at the other contracts they've deployed: if half are dead pools with zero liquidity, you're looking at a serial scammer.

Watch out: Use a graph tool (RektRadar's explorer, Breadcrumbs, MetaSleuth) to see what funded the deployer two hops back. A common mass-funder serving 50+ deployers is a scam factory signature.
5. Check liquidity depth and LP ownership

Open dexscreener.com/ethereum/<contract> or the token's pair page on the relevant DEX. Look at the liquidity USD value. Below $1k is scaffolding - the deployer can pull it for half a tenth of an ETH. Above $50k starts to suggest a real launch, though it's not safety in itself. Then read who holds the LP tokens: if the deployer holds 100% of LP supply unlocked, they can pull the floor anytime. Locked liquidity (Unicrypt, Team.Finance) for at least 30 days is a positive signal.

Watch out: On Uniswap V3, LP ownership is an NFT - search the deployer wallet for NFT holdings on the relevant V3 position manager.
6. Read the holder distribution

On Etherscan, click the 'Holders' tab. The first 200 Transfer events tell the whole story: if one wallet (other than the LP pool) holds 90% of supply on day one, you're going to be exit liquidity for that one wallet. Healthy distributions have 20-50 holders with 1-5% each. A token with three holders, one of which is the deployer holding 95%, is a guaranteed exit scam waiting for buyers.

Watch out: Some scams use bot wallets to fake distribution. Check the funding history of the top 10 holders - if they're all funded from the same wallet five minutes apart, that's a wash.
7. Try a tiny sell after buying

Even if every static signal passes, your last test is to try selling 1% of what you bought. If the sell goes through with a reasonable tax (≤5%), the contract isn't a structural honeypot. If the sell reverts, if the slippage required exceeds 30%, or if you get back a fraction of what the price quoted - exit immediately with whatever you can. This is the only test that catches dynamic honeypots and runtime kill switches that static analysis misses.

Watch out: Some contracts let the first few sellers out cleanly, then activate the blacklist. Don't extrapolate from one successful sell - it just means the trap is delayed.

Why a single check isn't enough

No single signal catches every scam. Honeypot simulation is 100% precision on structural traps but misses dynamic blacklists that activate after the first N buyers. Deployer history catches serial scammers but misses one-off rugs from professional teams using fresh wallets. Liquidity depth catches scaffolding launches but says nothing about timed kill switches. Source code review catches the documented attack patterns but doesn't catch novel ones.

The right approach is layered: run all the checks, accept that any single failure is enough to exit, and treat a clean pass as "this token isn't an obvious scam" rather than "this token is safe to hold." Some scams take weeks to spring the trap - your due diligence is necessary but not sufficient.

What scanners catch that manual checks miss

Bytecode pattern matching. When a scammer reuses a contract template across 50 tokens, the scanner detects the shared bytecode hash and flags every new instance instantly. Manually, you'd have to compare bytecode hex by hand. Our database currently tracks 156 such templates with 10+ tokens each - the largest cluster has 4 050 tokens sharing the same contract.

Funder graph analysis. Following the deployer back two hops to a mass-funder takes 30 minutes per token manually. A graph database does it in milliseconds. We've identified scam factory funders that have funded 200+ deployer wallets across the last 90 days.

Real-time monitoring. Static checks are point-in-time. A scanner that watches the contract after launch catches malicious upgrades, blacklist additions and ownership changes within minutes of the on-chain transaction. Manual due diligence runs once and ages.

How to Check Token Safety

The seven steps

1. Find the contract address - not the ticker

2. Verify the contract on Etherscan

3. Run a honeypot simulator

4. Inspect the deployer wallet

5. Check liquidity depth and LP ownership

6. Read the holder distribution

7. Try a tiny sell after buying

Why a single check isn't enough

What scanners catch that manual checks miss

Cross-references