You do not need to be a Solidity developer to read a token contract. You need to know where to look and what patterns to recognize. Most scam tokens reveal themselves in the first five minutes of contract inspection — if you know what you are looking for.
This guide walks through every step from finding the contract source to identifying the specific functions that separate safe tokens from traps.
Every token on a public blockchain has a contract address. That address links to code that controls everything — who can sell, what fees are charged, and whether you can ever get your money out. Reading it takes five minutes and can save you from losing everything.
Step 1: Find the Contract on a Block Explorer
Get the contract address
Copy the token contract address from DexScreener, the project’s Telegram, or its website. Always verify it matches what is shown on the block explorer — scammers share fake addresses that look similar to real ones.
Open the correct explorer for the chain
ETH → etherscan.io — BSC → bscscan.com — Base → basescan.org — Polygon → polygonscan.com — Arbitrum → arbiscan.io. Paste the contract address in the search bar.
Click the Contract tab
On the token page, click the Contract tab. You will see either a green checkmark next to the word “Contract” (verified source available) or a plain bytecode view (unverified). If it is unverified, stop here — treat it as high risk.
An unverified contract means the source code has not been published. You are trusting code you cannot read. Legitimate projects always verify their contracts. If it is unverified, the team is hiding something.
Step 2: Read the Token Basics
Once you have the verified source open, scroll to the top of the main contract file. You are looking for these basics first:
- Token name and symbol — confirm they match what was advertised
- Total supply — note the number, you will cross-reference it with the holder distribution
- Decimals — almost always 18 for ERC-20, anything different is unusual
- Owner address — note this, you will check it against the deployer and the holder list
Step 3: Find the _transfer Function
This is the most important function in any ERC-20 token. Every token movement — buy, sell, wallet transfer — goes through _transfer. Use Ctrl+F to search for it in the source code.
A clean _transfer function looks like this — it moves tokens from one address to another, applies a fee if configured, and nothing else. Watch for these red flags inside it:
- Mappings checked before transfer —
require(!_blacklisted[from]),require(_canSell[from]),require(_whitelist[to])— any of these mean the owner controls who can sell - Block number checks —
require(block.number > _lockBlock[sender])— can permanently lock any wallet - tx.origin checks — used to detect and fool simulation tools
- Dynamic fee application — fee variables that the owner can change to 100%
“If the _transfer function checks any mapping before moving tokens, ask yourself: who controls that mapping?”
Step 4: Find Owner-Controlled Functions
Search for onlyOwner in the source. Every function tagged with onlyOwner is something the deployer can call at any time without your consent. Make a mental list of what these functions do:
- Safe:
renounceOwnership,transferOwnership, setting initial parameters once - Risky:
setFee,setSellFee,setMaxWallet— owner can change fees and limits at will - Dangerous:
blacklist,setCanSell,excludeFromSell— owner controls who can exit - Critical: Any function that mints new tokens, withdraws liquidity, or pauses trading
If the owner can mint new tokens at will, they can inflate the supply to zero out your holdings. Always check whether a mint function exists and whether ownership has been renounced.
Step 5: Check the Fee Structure
Find the fee variables — usually named buyFee, sellFee, taxFee, or similar. Check two things:
- Current values — anything above 10% on buy or sell is high risk. Above 25% is almost certainly a trap.
- Max values — if there is a
require(fee <= 100)guard, the owner can set fees to 100% at any time
Also check where the fees go. Fees sent to a marketing wallet controlled by the owner are fine if the percentage is reasonable. Fees sent back to the contract that the owner can withdraw are riskier.
Step 6: Verify the Read Functions
Click the Read Contract tab on Etherscan. This lets you query the contract’s current state without making a transaction. Check:
owner()— if this returns the zero address (0x000...000), ownership has been renounced. Good sign.totalSupply()— cross-reference with what was advertised- Any fee functions — read the current buy and sell fee values directly from the contract
- Trading status — some contracts have a
tradingEnabledboolean. If false, no one can sell.
// LET DEXSCANR READ IT FOR YOU
DexScanr automates all six steps above and surfaces the results in under 5 seconds.
The Full Contract Reading Checklist
- Contract is verified on the block explorer
- Token name, symbol, and supply match what was advertised
- _transfer function contains no owner-controlled mappings or block locks
- No tx.origin checks in the transfer logic
- onlyOwner functions do not include blacklisting or sell restrictions
- No mint function, or mint function is disabled after renouncing ownership
- Buy and sell fees are under 10% and capped at a reasonable maximum
- owner() returns zero address confirming ownership is renounced
- tradingEnabled is true and cannot be set to false by the owner
A token that passes all nine checklist items above is not guaranteed safe — but a token that fails even one of them deserves serious scrutiny before you put money in.
Reading contracts gets faster with practice. After a dozen tokens you will be able to scan the critical sections in under two minutes. Combine manual reading with a DexScanr scan and you have the strongest possible defense against getting trapped in a honeypot.
// SCAN BEFORE YOU BUY
12+ risk checks. 5 chains. Results in under 5 seconds. Free to install.