Rug Scanner

A live on-chain token risk analysis API. Send it a contract address, get back a risk verdict (SAFE → CRITICAL) with the data behind it. Pay per scan with USDC on Base via x402, so there's no signup, no API key, no auth dance — just a 402 Payment Required flow.

Live

• API: https://rug-scanner-production.up.railway.app
• Repo: LucianoLupo/rug-scanner
• Discovery: /.well-known/x402.json and /.well-known/agent-card.json (A2A)

What it actually checks

All analysis is direct on-chain queries — no third-party risk APIs, so no rate limits, no proxy bias, and no opaque scoring.

• Contract — Function selectors (mint, blacklist, pause, fee setters), proxy detection (EIP-1967), ownership state, source verification.
• Holders — Top 5/10 concentration, deployer holdings sampled from recent transfers.
• Liquidity — Pool discovery across Uniswap V2/V3 and Aerodrome on Base, reserves, LP-lock detection (UNCX, Team Finance).
• Deployer — Wallet age, transaction count, ETH balance.
• Trading — Buy/sell tax simulation via router getAmountsOut to catch honeypots and asymmetric tax.

Verdicts

| Verdict | Meaning | |---------------|------------------------------------------------------------------------| | CRITICAL | Definite scam signals (honeypot, deployer majority + unlocked LP) | | HIGH_RISK | Strong rug indicators (mint + blacklist, asymmetric tax) | | MEDIUM_RISK | Concerning but not definitive | | LOW_RISK | Minor flags | | SAFE | No flags triggered |

Why this shape

Two design choices that drove most of the build:

• Pay-per-call instead of subscription. Risk APIs are bursty — you scan a token at the moment you're about to ape, then maybe never again. A signed x402 micropayment ($0.05 USDC) fits that shape better than a $50/mo SaaS plan, and it makes the API agent-friendly: an autonomous wallet can pay without going through OAuth.
• Own the analysis, don't proxy. Wrapping GoPlus or De.Fi means inheriting their false-positive rate, their rate limits, and their decisions about what counts as risky. Doing the on-chain queries directly costs more dev time but means the verdict is mine to defend.

Connection points

• The build journal lives at x402 Implementation Guide — every error, every fix, every package version came from getting this API to its first settled transaction.
• The market thesis (why this category, why this price, why x402) is in x402 Competitive Landscape — Live Services Analysis — smart-contract / on-chain security was a zero-competition gap on the network.
• Pairs with the broader forensics & OPSEC thread on this site: scanning-before-buying is the same defensive habit applied to crypto.