Honeypots, copycats and tokens with high sell taxes are now easy to identify with Matcha’s on-page Security Audits. This anti-malicious token feature looks at the token’s code to identify known vulnerabilities such as if more tokens can be minted, if the token can be sold, and who has rights to modify the code, all powered by GoPlus Security.

Alongside liquidity scores and improvements to on-page metrics, the security audit lets you see at a glance if you’re about to trade the right token or a malicious copy. With more tokens being launched each day than at any point in crypto history, Matcha makes it easier to extract the signal from the noise.

Token Security Audits

Every token on Matcha now has a Security Audit badge showing a count of 21 potential issues with the token’s smart contract code. Clicking on this badge will take you to a section that covers audit results in more detail, telling you exactly what risks were identified and how they might impact your trading experience.

Matcha Security Audits are intended to catch common tactics used by malicious tokens. If an issue is present in a token, it will be counted as a risk. Some risks, such as a token being mintable, are not always a sign of malicious intent, but will be counted as a risk so you know to use your best judgement on how to proceed.

Malicious tactics involving token smart contracts evolve over time, so there is unfortunately no way to be 100% certain that a token is legitimate. Security Audits are an indicator that should help you avoid the majority of scammy or risky tokens, enabling you to trade with more confidence and less friction.

How to use Security Audits

When you land on a token page on Matcha, you will see a Security Audit score right below the token name and contract address. A score of 0 shows no issues were detected (though you should still use other context to decide if a token is safe), while a score of 1 or more indicates potential dangers are present.

Not all code flagged as a risk is necessarily malicious. There are legitimate and popular tokens which will be use proxy contracts, be mintable, or contain other functions which are also found in malicious tokens.

USDC, for example, uses a proxy contract that gives the issuer power to modify the contract logic, while wrapped tokens such as WBTC must be mintable to allow them to be exchanged for native tokens. In these cases, it is up to you to judge if the issuer can be trusted or not.

What an audit tells you

At a glance, you can use the security audit badge to see if any potential risks exist. If not, the token is likely to be safe, though there may be some issues that have not been confirmed to exist or not and are therefore labelled Unknown. That’s why it’s best to scroll to the full audit further down the page.

Token risk indicators

In the Security Audit section, you will see a list of 6 common risk indicators. You can click Learn more to see a full list of 21 indicators. Each indicator covers a different function, so let’s go through each individually:

• Verified Source Code: Closed-source contracts often hide malicious behavior, are extremely risky and should be avoided.
• External Call: External calls indicate that this contract depends on other external contracts which may obscure additional risks.
• Proxy Contract: Proxy contracts are paired with modifiable implementation contracts, which may obscure additional risks not covered here.
• Mintable: Describes whether the token issuer can mint new tokens, increasing the supply. Make sure you trust the token issuer to not abuse this functionality.
• Pause Transfers: Indicates whether the contract creator can freeze token transfers or trades.
• Blacklist: Indicates whether the contract creator can block specific addresses.
• Whitelist: Indicates whether the contract creator can limit which addresses are allowed to hold the token.
• Creator Address: The address used by the contract creator to deploy the token contract.
• Owner Address: The address with control over token parameters. Not all tokens have this functionality. Owner address may change over time.
• Hidden Owner: Indicates if the developer has secretly retained ownership even after abandoning ownership, often a signal of malicious intent.
• Retrievable Ownership: When ownership has been abandoned, the risks associated with contract modifications are mitigated. If ownership is retrievable, these risks may be reactivated.
• Can’t Buy: Indicates if buying has been deactivated.
• Can’t Sell All: Indicates a restriction preventing you from selling all tokens at once. These tokens may require a specific amount to remain in the seller’s account.
• Buy Tax: An additional fee charged by the token creator on every Buy transaction.
• Sell Tax: An additional fee charged by the token creator on every Sell transaction.
• Tax Modifiable: Indicates whether a buy or sell tax can be added or modified by the issuer.
• Tax Modifiable (single address): Indicates whether the issuer can charge different tax rates across addresses.
• Trading Cooldown: Indicates a rate limit that forces a minimum time delay between two transactions.
• Maximum Balance: Indicates if the contract has capped the amount of tokens that can be held by any single address.
• Max Balance Modifiable: Indicates if the contract can change the maximum balance.
• Honeypot: A honeypot contains malicious code that allows the token to be bought, but not sold.

Making crypto safer, one token at a time

Security Audits are just one of many data points we provide to help you navigate the often precarious crypto landscape. We’ve implemented them, powered by GoPlus, to make it easy to know if a token is high-risk or not, while also providing other information such as how much liquidity there is or how many holders a token has. 

Learn more about how audits work in this interview!

Combined, we believe these indicators make Matcha token pages the best place to find new tokens with minimal risk, and avoid copycats on more popular tokens as well. Try Security Audits today at matcha.xyz, and reach out to us on Farcaster, X, or Discord to give us your feedback!