Oluwa.io
All writing
·5 min readcrypto securityhoneypotsrug pullsrugspy

How to Spot a Crypto Scam Before You Buy

Honeypots, rug pulls and the red flags that drain wallets — a practical guide to checking a token before you buy, and how RugSpy automates it.

By Vitor Lima

Most people who lose money to a token scam did nothing reckless. They saw a chart moving, a contract address in a chat, a countdown that made waiting feel expensive. They bought. Then they tried to sell, and couldn't. The trap wasn't the market — it was the contract itself, and it was written to catch them before they ever clicked buy.

This is a practical guide to the two failure modes that cause most of that damage — honeypots and rug pulls — the red flags that precede them, and how to check a token in the sixty seconds before you commit money. It's also the thinking behind RugSpy, the scanner we built to do these checks automatically.

Honeypots: you can buy, but you can't sell

A honeypot is a token engineered so that buying works perfectly and selling silently fails. The chart looks alive, your wallet shows a balance, everything feels normal — until you try to exit and the transaction reverts every time. Your money went in through a door that only opens one way.

The mechanics vary, but the intent is always the same: trap liquidity. Some contracts hard-code a rule that only whitelisted addresses can sell. Some set the sell tax to an absurd number so any exit is economically pointless. Others hide a function the deployer can flip after enough buyers pile in.

The insidious part is that a honeypot can pass a human eyeball test completely. Real-looking name, real-looking liquidity, real-looking holders. You cannot tell by looking at the price. You can only tell by reading what the contract actually permits — which is exactly the kind of check people skip when a token is "about to run."

Rug pulls: the exit is built in from day one

A rug pull is slower and, in a way, more honest about its cruelty. The token works — you can buy and sell — right up until the team pulls the liquidity or dumps a hidden supply, and the price collapses to zero in a single block. Everyone still holding is left with a token no one can trade.

Rugs are usually visible in advance if you know the tells. The signals live in the contract and the liquidity setup, not the marketing:

  • Mintable supply. If the owner can mint new tokens at will, they can dilute every holder to nothing whenever they choose.
  • Ownership not renounced. An active owner key often means privileged functions — pausing trading, changing taxes, blacklisting sellers — are still on the table.
  • Unlocked or thin liquidity. If the liquidity pool isn't locked (or is trivially small), the team can withdraw it the moment it's worth their while.
  • Punitive or adjustable taxes. A sell tax that's high, or that the owner can raise after launch, is a soft rug you pay in installments.
  • Concentrated holders. When a handful of wallets hold most of the supply, one decision ends the game for everyone else.

None of these is automatically proof of fraud. Plenty of early legitimate projects retain an owner key for good reasons. But each is a question you want answered before you buy, not after.

The sixty-second check

Here's the manual version of what a careful buyer does before committing to an unfamiliar token:

1. Read the contract       → verified source? owner renounced? mintable?
2. Simulate a sell         → does an exit transaction actually succeed?
3. Inspect the tax         → buy/sell tax reasonable and fixed?
4. Check liquidity         → locked? for how long? deep enough to exit?
5. Look at the holders      → is supply concentrated in a few wallets?
6. Search the token         → any prior reports, forks, or copied code?

Done properly, this is genuinely protective. Done properly, it's also slow, technical, and easy to rationalize away when a token is "mooning right now." That gap — between the check that works and the check people actually run — is where scammers operate. Urgency is not a side effect of these schemes; it's the mechanism.

Automating the boring, life-saving part

RugSpy exists to close that gap. You paste a contract address, optionally add the liquidity pair, and it runs the checks above across five major EVM networks — Ethereum, BNB Smart Chain, Polygon, Arbitrum and Avalanche — then returns a clear read: honeypot indicators, rug-pull signals, tax and ownership flags, and how much of the risk it could confirm.

We built it on a principle we hold across everything at Oluwa: the tool should tell the truth plainly, especially when the truth is uncomfortable. A scanner that reassures you is worse than no scanner. So RugSpy is explicit about what it found, what it couldn't verify, and where you still need to think for yourself. It's a fast second opinion, not a guarantee — because in a domain this adversarial, anyone promising a guarantee is selling you the next scam.

Two honest limitations worth stating. First, scam detection is an arms race: contract authors adapt, and no scanner catches everything, so a clean result lowers your risk without erasing it. Second, a tool can't fix urgency. If the only reason you're buying is that you're afraid of missing out in the next thirty seconds, no verdict will save you — that feeling is the exploit.

The takeaway

The crypto scams that work don't rely on sophistication. They rely on speed — on getting you to skip the one check that would have stopped you. Honeypots trap your exit; rug pulls remove it later. Both leave fingerprints in the contract before a single dollar moves.

So the discipline is boring and it is everything: check before you buy, every time, no exceptions for the token that "can't wait." Do it by hand if you can read a contract. Let RugSpy do it in a few seconds if you can't. Either way, the goal is the same — to make the decision with your eyes open, which is the one thing every scam is built to prevent.