Token Safety

How to Detect a Honeypot Token Before You Get Trapped

7 min readIntermediateUpdated 2025

A honeypot token is a crypto scam where the contract lets anyone buy but never sell. You watch the price go up, buy in, and then discover you can never get your money out.

Honeypot scams have stolen hundreds of millions of dollars from crypto investors. The good news: most honeypots leave detectable patterns in the contract code.

The 7 Most Common Honeypot Patterns

Pattern 01

Hidden Blacklist

A hidden mapping marks addresses as blacklisted. The owner blacklists buyers after purchase, preventing any sells.

Pattern 02

Extreme Sell Tax

Buy tax is 5% but sell tax is 90-99%. You can buy, but selling returns almost nothing.

Pattern 03

Modifiable Tax

Owner can change taxes anytime. They launch at 5%, then raise sell tax to 99% after buyers are in.

Pattern 04

Transfer Restriction

Hidden require() checks in transfer() only allow moves between owner-controlled addresses.

Pattern 05

Approval Block

approve() is overridden to fail for normal users, making DEX sales impossible.

Pattern 06

Max Transaction Limit

maxTxAmount is set so low that meaningful sells are impossible per transaction.

Pattern 07

Fake Ownership Renounce

renounceOwnership() is overridden to do nothing, or ownership goes to a developer-controlled contract.

Classic Honeypot Code

contract HoneypotToken {
    mapping(address => bool) private _blacklisted;
    address private _owner;
    uint256 public sellTax = 95; // 95% sell tax!

    function transfer(address to, uint256 amount) public returns (bool) {
        require(!_blacklisted[msg.sender], "Transfer failed");
        uint256 tax = amount * sellTax / 100;
        balanceOf[msg.sender] -= amount;
        balanceOf[to] += (amount - tax);
        balanceOf[_owner] += tax; // Owner gets 95%
        return true;
    }

    function blacklist(address user) external {
        require(msg.sender == _owner);
        _blacklisted[user] = true; // Silently trap buyers
    }

    function setTax(uint256 newTax) external {
        require(msg.sender == _owner);
        sellTax = newTax; // Can be raised to 100!
    }
}

⚠️ Red flags: Private blacklist mapping, 95% sell tax, owner can change taxes at will, no limits on owner actions, owner receives all tax revenue.

Quick Checklist Before Buying

1. Is the contract verified on Etherscan? If not — red flag.

2. Search for private blacklist mappings and functions that add to them.

3. Is the sell tax hardcoded or can the owner change it?

4. Is ownership renounced? What can the owner still do?

5. Run it through AuditAI's Token Analyzer for an instant honeypot score.

Detect honeypots instantly

Paste any token contract or address into AuditAI. Get honeypot risk score, sell tax detection, and rugpull analysis free.

🪙 Analyze Token Free