The Register Every strike, burn, and pool — ranked on-chain. Reputation you can check, not claim. See the ledger →
Solana
SolForger

Token safety

How to Check if a Solana Token Is a Honeypot or Rug Pull

A honeypot lets you buy but not sell; a rug pull drains the liquidity. Here is how to check any Solana token before you buy — authorities, liquidity, holders, and metadata.


Two of the most common ways to lose money on a new Solana token have specific, checkable signatures. A honeypot lets you buy but quietly blocks you from selling. A rug pull waits for buyers, then drains the liquidity and leaves you holding tokens with no market. Both feel like bad luck after the fact. Both are usually visible before you buy, if you know where to look.

I do this check for a living, and it takes about two minutes. Here’s exactly what to look at, why each thing matters, and the order I check them in.

Honeypot vs rug pull: know what you’re looking for

They’re different traps, and telling them apart tells you what to check.

HoneypotRug pull
What happensYou can buy but can’t sellLiquidity is drained, price → 0
WhenThe moment you try to exitWhenever the team decides
Enabled byFreeze authority, abusive transfer fee, pool permissionsUnlocked LP, concentrated supply
The tellMoney flows in, not outThe team can still pull liquidity

Notice the common thread: in both, value can enter but the exit is compromised. Every check below is really a way of asking “is the exit real?”

The two-minute checklist

Run these four checks on any token before you buy. You only need the token’s mint address — no wallet connection, no signing. If anything ever asks you to connect a wallet to “check” a token, walk away; the data is all public and readable from the address alone.

1. Is the mint authority revoked?

An active mint authority means the team can create unlimited new supply and dilute you to nothing. For a token that claims a fixed supply, the mint authority should be revoked. You can confirm this on Solscan or with a token certificate — the authority field should read as none.

  • Revoked → supply is provably capped. Good.
  • Active → supply can be inflated at will. High risk unless there’s a clearly explained, legitimate emission schedule.

2. Is the freeze authority revoked?

This is the classic honeypot enabler. While the freeze authority is active, whoever holds it can freeze your token account so you can’t sell — you bought in, and now you’re stuck. A freely tradable token should have freeze authority revoked.

  • Revoked → no one can freeze your wallet. Good.
  • Active → you can be locked out of your own tokens. Treat as a honeypot risk.

3. Is the liquidity burned or locked?

This is the rug pull check. Find the token’s liquidity pool and look at who holds the LP tokens. If the LP is burned (sent to a burn address) or locked in a time-lock contract, the liquidity can’t be pulled. If a team wallet holds the LP, they can withdraw all of it the moment they choose.

  • Burned or locked → liquidity can’t be pulled. Good.
  • Held by a wallet → the team can rug at any time. Highest-priority red flag.

Also glance at how much liquidity there is. A pool with almost nothing in it can’t support real trading and swings wildly — thin liquidity is its own trap.

4. How concentrated are the holders?

Even with revoked authorities and locked liquidity, a token can crater if a few wallets own most of it. Pull up the top holders. The burn address and a locked liquidity pool are fine to see near the top — those are supposed to be there. What worries me is one or two ordinary wallets sitting on a large share of supply, because they can dump into your liquidity and collapse the price.

  • Widely distributed → no single seller can crash it. Healthier.
  • One or two wallets dominate → they can exit on top of you. Elevated risk.

Beyond the checklist: softer signals

The four checks above are the hard, on-chain facts. These don’t confirm a scam, but they raise or lower my confidence:

  • Missing or sloppy metadata. No logo, a copy-pasted description, or a name impersonating a known project. Legit teams do the metadata properly.
  • Token-2022 transfer fee set high. A tax token with a modest fee is a legitimate design. A transfer fee cranked to something extreme is a soft honeypot — you can technically sell, but the fee eats most of it.
  • Brand-new everything. A token, pool, and social accounts all created within the same hour deserve extra scrutiny. That’s not proof of anything, but it’s the profile of a fast launch.
  • Pressure to buy now. Urgency is a sales tactic, and on-chain facts don’t expire. If a token is safe, it’ll still be safe after you’ve checked it.

Read it all at once with a certificate

Doing four lookups by hand works, but the fastest way is a page that reads them together. A token certificate takes a mint address and reports the authorities, metadata lock, supply, and top holders live from the chain, in one view. Nothing on it is self-reported by the team — it’s read straight from Solana — so it’s the same data whether the project is honest or not.

Run it before you buy, and if you’re launching a token yourself, publish one so your buyers don’t have to assemble the picture by hand.

The one rule that covers all of it

Verify on-chain; never take a team’s word. Screenshots can be faked, Telegram messages can be deleted, but the mint’s authorities, the LP’s holder, and the supply distribution are public and can’t be edited after the fact. Two minutes of checking the exit is the cheapest insurance in crypto. When you want to run the check, the token safety checker is free and needs nothing but the address.

Frequently asked questions

What is a honeypot token on Solana?

A honeypot is a token you can buy but cannot sell. The token or its pool is arranged so that buy transactions succeed and sell transactions fail or are blocked, trapping your money. Common enablers include an active freeze authority, a transfer-fee extension set punishingly high, or manipulated pool permissions. The tell is always the same: liquidity flows in but not out.

How can I tell if a Solana token is a rug pull before buying?

Check four things: whether mint authority is revoked (supply cannot be inflated), whether freeze authority is revoked (you cannot be locked out), whether the liquidity is burned or locked (it cannot be pulled), and whether a few wallets hold most of the supply (they can dump on you). A token that fails any of these is a higher risk, and one that fails several is a likely trap.

Is checking a token's authorities enough to know it is safe?

No. Revoked authorities remove two specific risks — inflation and freezing — but a token can still rug through unlocked liquidity or concentrated holders. Safety is the whole picture: authorities, liquidity status, holder distribution, and metadata together. Treat any single green check as necessary, not sufficient.

Do I need to connect my wallet to check a token?

No, and you should be suspicious of any checker that requires it. All the data that matters — authorities, supply, liquidity, holders — is public on-chain and readable from a mint address alone. A safety check should never ask you to connect a wallet or sign anything.

What is a safe number of top holders for a token?

There is no fixed rule, but concentration is the risk. If the top one or two wallets (excluding the burn address and a locked liquidity pool) hold a large share of supply, they can crash the price by selling. Widely distributed supply is healthier. Always check whether large holders are contracts, like a locked pool, or ordinary wallets that can dump.

Written by

Lena Okonkwo

DeFi security researcher, SolForger

Lena reads contracts and liquidity for a living. Before joining SolForger she spent years doing on-chain forensics — tracing where liquidity went after a launch, why a token would not sell, and which authority a team quietly kept. She covers the safety side of the forge: how to revoke authorities, how to read a certificate, and how to tell a real liquidity pool from a honeypot before you send a single lamport. Her rule for readers is the same one she uses herself: verify on-chain, never take a team's word.

  • Rug-pull forensics
  • Liquidity mechanics
  • On-chain analysis
  • Raydium & Jupiter
  • Token authority audits