How to spot a honeypot token before you buy (and automate the whole checklist)

How to spot a honeypot token before you buy (and automate the whole checklist)

如何在买入前识别“蜜罐”代币(并实现全流程自动化检查)

Every week someone in a chat I’m in buys a token they can’t sell. The pattern is always the same: chart looks organic, Telegram group is buzzing, contract is “renounced” according to a screenshot someone posted. Then they try to sell and the transaction reverts. That’s a honeypot, and it is one of the few scams you can reliably detect before putting money in — the evidence is on-chain and public. Here is the checklist I actually use, and how to automate it. 每周我所在的聊天群里总有人买到无法卖出的代币。套路总是如出一辙:K 线图看起来很自然,Telegram 群里讨论热烈,合约根据某人发的截图显示已“放弃所有权”。然而当他们尝试卖出时,交易却失败了。这就是“蜜罐”(Honeypot),它是少数几种可以在投入资金前可靠识别的骗局之一——证据就在链上且公开可见。以下是我实际使用的检查清单,以及如何将其自动化。

1. Can you sell? Simulate, don’t trust

1. 你能卖出吗?模拟交易,不要轻信

A honeypot lets you buy but blocks the sell path — usually a hidden condition in transfer() that only the deployer’s wallets pass. You cannot see this from the chart, and you can’t always see it from the verified source either (obfuscation is an art form). The reliable way is a buy/sell simulation: fork the chain state, buy the token, immediately try to sell it, and see what happens. honeypot.is does exactly this for Ethereum, BSC and Base — free, no key. If the simulated sell fails or eats 90% in “tax”, you have your answer. 蜜罐允许你买入但会阻断卖出路径——通常是在 transfer() 函数中隐藏了只有部署者钱包才能通过的条件。你无法从 K 线图中看出这一点,也未必能从已验证的源码中发现(代码混淆是一门艺术)。最可靠的方法是进行买卖模拟:分叉链上状态,买入代币,立即尝试卖出,看看会发生什么。honeypot.is 专门为以太坊、BSC 和 Base 链提供此功能——免费且无需密钥。如果模拟卖出失败或被扣除 90% 的“税费”,答案就很明显了。

2. Read the static flags

2. 查看静态指标

GoPlus token security API aggregates most of what you’d check by hand on a block explorer: GoPlus 代币安全 API 汇总了大部分你需要手动在区块浏览器上检查的内容:

  • Owner powers: can the owner edit balances? Pause transfers? Blacklist you after buying? Take back “renounced” ownership?
  • 所有者权限: 所有者能否修改余额?暂停转账?买入后将你列入黑名单?收回已“放弃”的所有权?
  • Mint: can supply be inflated into your position?
  • 铸造: 代币供应量是否会无限增发从而稀释你的仓位?
  • Taxes: a 5% tax is a business model, a 45% sell tax is an exit scam with extra steps.
  • 税费: 5% 的税费可能是商业模式,但 45% 的卖出税费就是变相的跑路骗局。
  • Proxy contracts: upgradeable logic means today’s honest contract can be tomorrow’s honeypot.
  • 代理合约: 可升级的逻辑意味着今天诚实的合约明天可能变成蜜罐。
  • Deployer history: wallets that shipped honeypots before tend to do it again.
  • 部署者历史: 曾经发布过蜜罐的钱包地址往往会再次作恶。 None of these flags alone is a verdict — USDC is a proxy contract, most stablecoins have an admin — but stacked together they tell a story. 这些指标单独来看都不能作为定论——USDC 是代理合约,大多数稳定币都有管理员——但综合起来,它们就能还原真相。

3. Check who holds the bag

3. 检查持仓分布

If the top 10 wallets hold 80%+ of supply (excluding locked liquidity and burn addresses), the price is whatever they decide it is. Holder concentration plus fresh liquidity plus a deployer wallet funded an hour ago through a mixer is a rug with the fuse lit. 如果前 10 大钱包持有超过 80% 的供应量(排除锁定的流动性和销毁地址),那么价格完全由他们说了算。持仓高度集中,加上新注入的流动性,以及一个一小时前通过混币器注资的部署者钱包,这就是一个已经点燃引线的“地毯式骗局”(Rug Pull)。

4. TON is not exempt

4. TON 链也无法幸免

The same failure modes exist for TON jettons, they just look different: mint authority not revoked, admin address still set, transfer-tax jettons, STON.fi blacklists. Fewer tools cover TON, which is exactly why scammers like it right now. TON 链上的 Jetton 代币也存在同样的故障模式,只是表现形式不同:铸造权限未撤销、管理员地址仍存在、转账税费代币、STON.fi 黑名单等。目前覆盖 TON 链的工具较少,这正是骗子们现在青睐它的原因。

Automating all of the above

将上述流程自动化

Doing this checklist by hand takes ten minutes per token across four websites. I got tired of it, so all of it is wrapped into a Telegram bot: @RugLens_bot — paste a contract address (EVM or TON), get the full report in a few seconds: honeypot simulation, taxes, owner powers, holder concentration, liquidity, scored 0–100 with plain-language flags. It detects the chain automatically via DEX listings, works inline in any chat (@RugLens_bot

), and does 5 checks a day free, which is enough for normal degeneracy levels. Source and self-hosting instructions: github.com/mrvlyouknowwho/ruglens (MIT). 手动完成这份清单,每个代币需要在四个网站上花费十分钟。我厌倦了这种操作,所以将其全部封装进了一个 Telegram 机器人:@RugLens_bot。粘贴合约地址(EVM 或 TON),几秒钟内即可获得完整报告:蜜罐模拟、税费、所有者权限、持仓集中度、流动性,并以通俗易懂的标签给出 0-100 分的评分。它能通过 DEX 列表自动检测链类型,支持在任何聊天中内联使用(@RugLens_bot <地址>),每天免费提供 5 次检查,对于正常的投机需求来说足够了。源码及自托管说明:github.com/mrvlyouknowwho/ruglens (MIT 协议)。

The one rule that beats every tool

战胜所有工具的一条铁律

A clean report means “no known trap detected”, not “this is a good investment”. Tools catch mechanical scams — they don’t catch a dev who simply dumps on you with a perfectly honest contract. Size positions like the token can go to zero, because it can. 报告显示“无已知陷阱”并不代表“这是一个好的投资”。工具只能捕捉机械性的骗局,无法捕捉那些使用完全合规的合约却直接向你砸盘的开发者。控制你的仓位,做好代币归零的心理准备,因为这种情况随时可能发生。