Trust & Safety
ERC-20 Security Checklist
What automated rug-pull scanners and serious traders check before buying a new ERC-20 token, and how to make sure your token passes.
The two highest-impact items: (1) Lock liquidity for 6+ months. (2) Renounce ownership if your contract has no admin functions. Doing both passes the majority of automated checks.
The 12 Security Checks Traders Run
Sequenced from highest to lowest impact on trader trust:
LP tokens sent to a time-locked contract (Unicrypt, Team Finance) so the creator cannot drain the pool. Minimum 6 months; 1 year preferred.
For standard fixed-supply ERC-20, call renounceOwnership() so the contract becomes immutable. Skip only if your contract has legitimate ongoing admin functions.
Submit source code to Etherscan so the green checkmark appears. Unverified contracts are immediately suspect to serious traders.
The contract should not have a callable mint() function reachable by anyone. RugCheck and TokenSniffer flag this automatically.
Owner-controlled blacklist functions let the creator block specific addresses from selling. Major red flag.
A transfer fee that the owner can raise to 100% is a delayed honeypot. Fees should either be zero or be capped immutably.
Traders test-buy a small amount and try to sell it back. If sells fail or are massively taxed, it is a honeypot. Test before announcing.
Excluding LP and known-dead wallets, top 10 holders combined should not control the majority. High concentration enables coordinated dumps.
Even if LP exists, it counts as "unlocked" unless sent to a verified lock contract. Check Unicrypt/Team Finance for the lock entry.
Buy/sell limits that look reasonable but can be modified are a slow-rug pattern. Limits should be capped or removed.
A treasury held by a single hot wallet is a single point of failure. Move to a Gnosis Safe with 2-of-3 or 3-of-5 signers.
If you added any custom logic beyond the standard ERC-20, an audit from QuillAudits, Hacken, Certik, or similar is the baseline for credibility.
Automated Scanners to Run
Paste your contract address into each of these and address every red/yellow flag before going public:
| Scanner | What it checks | URL |
|---|---|---|
| RugCheck | Liquidity lock, owner powers, holder concentration, honeypot patterns | rugcheck.xyz |
| TokenSniffer | Owner-only functions, mint/burn powers, source verification, holder stats | tokensniffer.com |
| Honeypot.is | Whether sells actually work, transfer tax, gas anomalies | honeypot.is |
| De.Fi Scanner | Full contract analysis with severity ratings | de.fi/scanner |
| Etherscan Holders tab | Top holder distribution, suspicious wallet patterns | Etherscan contract page |
Ongoing Security Practices
Pre-launch is one thing; staying secure after launch is another. Standard practices:
- Treasury in multisig. Use Gnosis Safe (now Safe{Wallet}). 2-of-3 minimum, 3-of-5 ideal. Single-key treasuries are a known failure pattern.
- Hot wallets minimal. Day-to-day operating wallets hold operational ETH only, not treasury allocation.
- Allowance hygiene. Revoke approvals you no longer need at revoke.cash. Old DEX approvals are the most common exploit vector for non-contract holders.
- No private key in plain text. Use a hardware wallet (Ledger, Trezor, GridPlus) for any wallet holding meaningful value. Seed phrase on paper or metal, never digital.
- Phishing awareness. Project Twitter and Telegram are constantly impersonated. Pin official URLs. Never DM first - serious people do not DM crypto opportunities.
- Holder communication on incidents. If something goes wrong (failed liquidity add, accidental wallet exposure), say so immediately. Cover-ups always come out and cost more than the original error.
Pre-launch ready?
ETHTokenLaunch deploys a clean OpenZeppelin-based ERC-20 contract. The renounce-ownership add-on closes the biggest single security gap automatically.