How to Check Token Security with GoPlus (60-Second Scam Check)

What GoPlus is, and why it's the standard#

GoPlus Security launched in 2021 to solve a specific problem: crypto users had no easy way to know if a smart contract was malicious before interacting with it. Their API ingests every token contract on supported chains, runs 30+ static analyses, and returns a structured risk report.

Today most major DEX aggregators (Uniswap, 1inch, Jupiter) call GoPlus before showing a token to users. The free web tool at gopluslabs.io/token-security gives you the same data directly — no API key needed. For Solana memecoins where new tokens launch hourly, GoPlus is often the difference between catching a 100× and getting drained.

How to run a check in 30 seconds#

1. Copy the token contract address from DexScreener, DexTools, or wherever you spotted it. Always copy from a reliable source — many scams post fake contract addresses in Telegram and Twitter.
2. Go to gopluslabs.io/token-security.
3. Pick the correct chain (Ethereum, BNB Chain, Solana, etc.). Wrong chain = wrong result.
4. Paste the address. Report loads in 2–5 seconds.
5. Scan the top section first — the Risk summary shows a count of critical/high/medium/low flags. Any critical flag = stop, do not buy.
6. Drill into individual flags if you want to understand the risk. Most users only need the summary.

Flags that mean walk away#

If you see any of these, the token is almost certainly a trap:

• is_honeypot: 1 — contract has logic preventing selling. You can buy but never sell. 100% loss guaranteed.
• buy_tax > 10% or sell_tax > 10% — contract takes a huge cut on every trade. Some honeypots use 99% sell tax to make selling appear possible but unprofitable.
• transfer_pausable: 1 — owner can pause transfers at any time, freezing your position when you most need to sell.
• is_mintable: 1 with mintable_to: wallet — owner can mint unlimited tokens, diluting your share to zero overnight.
• owner_change_balance: 1 — owner can change any wallet's balance arbitrarily. Effective backdoor.
• hidden_owner: 1 — ownership is obfuscated, often via a proxy contract. Owner can change without on-chain visibility.
• selfdestruct: 1 — contract can be deleted entirely. Funds inside are lost on call.

Flags that are "concerning" but context-dependent#

Some flags are legitimate for specific use cases — for example, owner_can_pause is normal for properly-governed stablecoins (USDC has it by design). Context matters:

• is_anti_whale — max wallet / max transaction limits. Common in fair-launch memecoins. Not a scam signal by itself.
• trading_cooldown — short cooldown after buying. Anti-bot mechanism. Annoying but not necessarily malicious.
• is_proxy — contract is upgradeable. Bad for trustless tokens, fine for centralized stablecoins.
• lp_holders_locked / lp_burned — liquidity locked or burned. Locked LP for >6 months is positive. Unlocked LP on a memecoin is a major red flag.
• creator_percent > 5% — creator holds large share. Acceptable for blue-chips, concerning for memecoins.
• owner_change_tax — owner can change tax rates. Sometimes legitimate (DAO vote to lower tax), often abused.

Three real examples of what reports look like#

Blue chip (USDC on Ethereum): 0 critical, 0 high, 0 medium. Some "attention" flags for centralized control (Circle can blacklist addresses) — by design.

Borderline altcoin (random new DeFi token): 0 critical, 1 high (creator holds 8%), 2 medium (proxy contract, owner can update tax). Not necessarily a scam, but you'd want LP-lock proof and team identity before sizing in.

Confirmed honeypot (random Solana memecoin from a Telegram pump group): is_honeypot: 1, sell_tax: 99%. Walk away. Even if you see "verified trades" showing wins on the DEX chart, those are wash trades — real users can't exit.

GoPlus vs Honeypot.is vs Token Sniffer#

All three are free, but they emphasize different things.

• GoPlus — broadest chain support, most detailed report. Use first.
• Honeypot.is — specializes in honeypot detection via simulated transactions. Use as second check if any GoPlus flag is concerning.
• Token Sniffer — gives a simple 1–100 risk score. Useful as a sanity check.

The full workflow for any new token: GoPlus first, Honeypot.is if anything looks off, Token Sniffer for a fast risk-score sanity check. If any of the three flags red, walk away.

How to read the risk score (and why scores can lie)#

GoPlus assigns each token a security score 0–100. Higher = safer. But the score is a heuristic. It can miss social-engineering scams that don't show up in contract code. A 95-score memecoin with a fake-doxxed team can still rug. The score tells you the contract is technically clean; it doesn't tell you the team is honest.

Treat the score as one signal among many. Combine with:

1. LP locked >6 months on Unicrypt or Team Finance.
2. Team identity verifiable via past projects or Twitter.
3. Trading volume on at least 2 DEXs — single-DEX-only tokens have higher rug risk.
4. Holder distribution from Bubble Maps.

Scams GoPlus won't catch#

GoPlus is a contract scanner. It can't catch off-chain scams:

• Team rug pull. A clean contract + an honest-looking team can still drain the LP and disappear. Mitigation: LP-lock proof.
• Wash trading. Fake volume to look popular. Mitigation: check holder distribution on Bubble Maps — real users look like many small wallets, wash traders look like a few large ones.
• Twitter / Telegram impersonation. Scammer posts the contract address of a fake token mimicking a real upcoming launch. Mitigation: only trust contract addresses from official project sources.
• Phishing via wallet approval. Not a token issue — happens after you click "Approve" on a malicious DApp. Mitigation: read every signature carefully, use Rabby for simulation. See Wallet drainer explained.

Bottom line#

GoPlus is the closest thing in crypto to a free instant background check. It won't catch every scam — nothing does — but for the most common ones it's catastrophically more accurate than human intuition. Run it before every new altcoin purchase. Combine with Honeypot.is and a quick holder-distribution check, and you've filtered out the vast majority of obvious traps.

Next reads: How to detect honeypot tokens · How to use DexScreener · Common crypto scams 2026.