Token Safety Scanner
PulseChain
Safety
STRUCTURAL SAFETY CHECKS · no verdict, just facts

The Token Safety
Scanner

Not a green light. A flashlight. See a token's structural risks — and exactly what these reads can't see.

Paste a token. The Scanner reads three independent facts — is it an upgradeable proxy, does it carry a mint entrypoint, who controls it — each triple-verified. No safe/unsafe score: facts and named blind spots, so you judge with your eyes open.

3
Independent checks
RPC verify
0
Safe/unsafe scores
Why this exists

Every “token checker” gives you a green light. Green lights get people rekt.

A single SAFE/UNSAFE score is a buy signal wearing a lab coat — and the moment it says “safe” and someone loses money, the tool is worthless. So this scanner refuses to give one. Instead it reads three independent structural facts off the chain — is the contract an upgradeable proxy (someone can swap its code), does its bytecode carry a mint entrypoint (supply can potentially grow), and who controls it — and it tells you exactly what each fact does not establish. You get the flashlight, not the verdict.

The detection is adversarially hardened, because a malicious author engineers a token to look clean under naive checks. It reads six canonical proxy-storage slots (not just EIP-1967 — the older zeppelinos layout that USDC itself uses would otherwise slip through), scans the implementation's bytecode when a token is a proxy, and reads owner and proxy-admin as separate power surfaces. Every value is triple-verified across three RPCs; anything that doesn't reach 3/3 is shown as “not verified”, never guessed.

It is the token-level companion to the LP Risk Radar and the Fork-Mirror Detector. Same rule as all of them: facts, named blind spots, no advice.

01
Run it

Three facts, and what they don't cover

Proxy, mint, ownership — read straight off the chain, 3 RPCs each, presented as facts you can act on, never a score you can blame us for.

Examples: DAI · not a proxy, has mint USDC · upgradeable proxy
02
The three checks

What each check reads — and refuses to claim

Upgradeable proxy. Reads six canonical storage slots (EIP-1967 impl/admin/beacon, EIP-1822, and the older zeppelinos impl/admin). A set implementation slot means the code can be replaced by whoever holds the upgrade authority. Does not claim: that all-empty slots mean immutable — diamonds and metamorphic contracts read clean and are listed as not-checked.
+
Mint entrypoint. Scans the deployed bytecode (the implementation's, if it's a proxy) for mint selectors. Present means the entrypoint exists. Does not claim: that it's publicly callable, ungated, or actually inflates supply — and absence is not proof of a fixed supply (rebase tokens, upgrade paths, non-standard names).
§
Ownership / admin. Reads owner()/getOwner() and, independently, the proxy-admin slot. Does not claim: that a renounced owner means no control — a non-empty proxy admin overrides it, and role-based access can retain power with owner() at zero.
The rule Three independent facts, never summed into a verdict. “All clean” still doesn't cover sellability, fee/blacklist logic, diamonds or metamorphic code — the scanner names those blind spots instead of hiding them behind a green badge.