A honeypot contract is a fraudulent smart contract designed to look like a legitimate, profitable opportunity — an arbitrage target, a new token, or a vulnerable contract — but which contains hidden logic that permanently traps any funds sent to it. The name comes from the espionage concept: an attractive lure that ensnares anyone who takes the bait. In DeFi, honeypots are most commonly deployed as fake ERC-20 tokens on DEXes — the token can be bought freely, but a hidden function in the contract prevents it from ever being sold, leaving buyers trapped holding worthless tokens while the deployer walks away with the liquidity. Honeypots are responsible for billions in annual losses across all EVM chains and are especially prevalent during meme coin and new token launch frenzies when traders move fast without reading contracts.
How a Token Honeypot Works
The most common honeypot pattern:
- Deployer creates a new ERC-20 token with a deceptive name (often copying a trending token’s branding)
- Deployer adds liquidity on a DEX (Uniswap, PancakeSwap, etc.) — the token now has a price and can be bought
- Bots or early buyers purchase the token — it works normally; they receive tokens in their wallet
- Deployer “primes” the chart — buys their own token through other wallets to create a rising price chart, attracting FOMO buyers
- Victims buy — their transaction succeeds; they see tokens in their wallet
- Victims try to sell — the
transfer()orsell()function contains a hidden condition that reverts all sell transactions (or sends tokens to the deployer on sell) - Victims cannot exit — funds are trapped; the deployer removes liquidity
Hidden Mechanisms in Honeypot Tokens
| Mechanism | How It Traps Buyers |
|---|---|
| Blacklist on sell | transfer() checks if the recipient is a router; reverts if so |
| Sell tax of 100% | A “tax” function takes 100% of any sell transaction |
| Max transaction on sells only | Buys can be any size; sells are capped at 1 token |
| Whitelist only | Only whitelisted addresses (the deployer’s) can sell |
| Anti-bot toggle | A hidden function that the deployer can trigger to block all sells at any time |
| Renounced ownership with backdoor | Contract appears to have no owner, but a hidden function remains callable by deployer |
Types of Honeypots
1. Token Honeypots (Most Common)
2. “Vulnerable Contract” Honeypots
- Hacker sends ETH to “activate” the exploit (required by the trap logic)
- The contract pockets the activation ETH
- The apparent vulnerability doesn’t actually work (or works differently than it appears)
- Hacker is out the ETH they sent to “activate” the exploit
These are relatively rare but have been documented on Ethereum since 2016.
3. Liquidity Traps
Detection: How to Check Before Buying
Automated tools:
- Honeypot.is — paste any token contract address; simulates a buy and sell transaction to detect sell restrictions before you commit real funds
- TokenSniffer — scans for known honeypot patterns and other scam indicators
- De.Fi Shield — real-time token security scanning with honeypot detection
- GoPlus Security API — widely integrated by DEX aggregators; returns risk signals including honeypot likelihood
Manual checks on Etherscan/BSCScan:
- Read the source code (if verified) — look for any sell conditions, blacklists, or unusual
transfer()overrides - Check if the contract is verified at all (unverified = major red flag)
- Look at the transaction history — if all transactions are buys with zero sells, extreme warning sign
- Check holder distribution — if the top 1–2 wallets hold 80%+, likely a rug/honeypot setup
Key questions:
- Can I verify the source code is not malicious?
- Are there actual sell transactions in the history?
- Does honeypot.is show sells as successful?
- Is the team doxxed / KYC’d?
Honeypots vs. Rug Pulls
These terms are related but distinct:
| Feature | Honeypot | Rug Pull |
|---|---|---|
| Primary mechanism | Buyers can’t sell (code trap) | Liquidity removed by developer |
| When it executes | Immediately — buyers are trapped from the start | Usually after building hype and volume |
| Reversibility | Never — the contract traps funds permanently | One-time event; liquidity gone |
| Code malice | In the token contract itself | May use a legitimate contract but malicious team action |
| Common chain | BSC, Base, Ethereum | All chains |
A project can be both — a honeypot contract executed alongside a liquidity pull, ensuring victims can neither sell nor claim value from the pool.
Scale of the Problem
Honeypot tokens are created at industrial scale, especially on cheap-gas chains:
- BSC: Tens of thousands of honeypot tokens deployed monthly
- Base / Solana: Honeypot launches surged 300–500% during 2024 meme coin season
- Detection rate: The majority are caught by automated tools within minutes, but new variants evade detection temporarily
Most victims are retail traders chasing trending tokens on DEX screeners (Dextools, Dexscreener) without performing any contract analysis.