How to Spot a Rug Pull in 60 Seconds (2026 Guide)

Most rugs leave the same fingerprints. If you know what to look for, sixty seconds with a contract address is usually enough to walk away from a bad trade. This guide walks through the five fingerprints that catch the majority of rug-pull tokens we see across Ethereum, Base, BSC and Solana.

1. Honeypot simulation (the buy-but-can't-sell trap)

A honeypot lets you buy the token but blocks selling, either by reverting the swap or by silently taxing 100% of the proceeds. Honeypot detection requires running a simulation against the contract — GoPlus and Honeypot.is both expose this. Pulsentric runs the check on every token report and weights it +50 in the public deception score.

2. Liquidity lock

If the deployer can withdraw the LP tokens, they can also drain the pool — that's the classic rug. Locked LP via Unicrypt, Team.Finance or Pinksale shows up as a transfer to a known locker contract. Burned LP (sent to 0x000…dead) is the strongest version. Both lower the surface area drastically.

3. Top-holder concentration

If a single non-LP wallet holds more than 20-30% of supply, that wallet has unilateral dump power. Above 50% it's pre-rugged in everything but name. Always exclude the LP pair contract from the calculation — it's not a holder, it's the market.

4. Ownership status

Renounced ownership (transferred to 0x0) means no more privileged calls — no fee changes, no blacklist, no mint. Look for `can_take_back_ownership` and `owner_change_balance` flags: even on a renounced contract, certain proxy patterns or hidden roles can resurface.

5. Source verification

Verified source on Etherscan/BaseScan isn't a safety guarantee, but unverified source is a hard yellow flag. Without bytecode → source mapping, no automated audit can prove there isn't a hidden mint, blacklist, or fee escalator.

The 60-second checklist

1. Paste the contract address into /scanner.
2. Look for 5 green checks: honeypot ✗, LP locked ✓, top holder <20%, ownership renounced or no escalation, source verified.
3. If anything is red, check whether it's compensable (e.g. unverified but ownership renounced is recoverable; honeypot is not).
4. Open the public token report (e.g. /token/ethereum/0xdAC17F958D2ee523a2206206994597C13D831ec7) for the full audit + sentiment correlation.
5. Decide. Move on.

“Sixty seconds and a checklist beats two hours of YouTube DD on a token that was a rug all along.”

If you want this checklist running automatically on every wallet you connect, the vulnerability scanner is free, no signup. The full per-token report and the smart-money correlation are on the Pulsentric paid plans.