Token Audit¶
Token Audit is ChainAware's deep smart contract analysis product. Paste a token contract address, trigger a full audit, and get a verdict across 11 verification modules - covering ownership, liquidity, supply, transfer integrity, and more.
Verification Modules
Verdict Levels
Blockchains
Individual Findings
Supported chains: BNB Smart Chain · Ethereum · Polygon · Base · Arbitrum · Optimism · Avalanche
What Token Audit Checks¶
Every audit runs the contract through a multi-layer analysis pipeline - static code analysis, on-chain state reads, live liquidity checks, and behavioral signals - then aggregates the results into a single verdict with a 0-100 risk score.
| Layer | What It Does |
|---|---|
| Source code analysis | Inspects every function in the contract for dangerous patterns - hidden sell gates, unauthorized balance writes, fee setters without caps, and more |
| On-chain state | Reads live contract state - current owner, pause status, total supply, deployer holdings |
| Liquidity checks | Discovers pools across all known DEXes (V2 and V3), checks TVL, LP lock status, and lock duration |
| Behavioral signals | Cross-references the deployer and feeder wallet against 20M+ behavioral profiles for fraud probability |
The Six Verdicts¶
| Verdict | Risk Score | What It Means |
|---|---|---|
| CLEAN | 0-24 | No theft or rug mechanics found. Analysis passed every safety check. |
| SUSPICIOUS | 25-49 | Risky mechanics present. The code can hurt holders under certain conditions. |
| HIGH RISK | 50-74 | Owner-controlled rug vectors exist. One owner transaction could trap or drain holders. |
| HONEYPOT | ≥ 75 | You can buy - but you cannot sell. Simulation confirms sells are blocked. |
| THEFT | ≥ 75 | Funds are drained on transfer. Every transfer leaks value to the deployer. |
| UNVERIFIABLE | - | Source code not verified. Only partial bytecode analysis was possible. |
The 11 Modules¶
Each module runs independently and produces its own status (pass / fail / warn / n/a) and risk score. The aggregate verdict combines all module scores plus behavioral signals.
| Module | What It Checks |
|---|---|
| Live Simulation | Buy + sell simulation on a forked chain (coming soon) |
| Ownership & Access | Owner address, blast radius, capability flags, timelock |
| Liquidity & Pools | Pool TVL, LP lock status, lock duration, known lockers |
| Supply & Mint | Mint functions, supply caps, deployer concentration, burn integrity |
| Transfer Integrity | Balance conservation, fee setters, unauthorized recipients |
| Pausability | Pause/unpause access control, asymmetric pause patterns |
| Approve Integrity | Allowance write paths, EIP-2612 permit detection |
| Permit (Gasless) | Nonce, deadline, chainId, ecrecover verification |
| Reentrancy | CEI violations, reentrancy guards, cross-function attack paths |
| Arithmetic & Fees | Fee calculation and overflow patterns (coming soon) |
| Event Integrity | ERC-20 event compliance (coming soon) |
How the Verdict Is Calculated¶
- Each module produces a risk score (0-100).
- Module scores are summed into a
total_risk_score. - A corroboration boost (+20) is applied when two high-severity findings point to the same owner address.
- The honeypot analysis adds its own score from pattern-matching the contract code.
- Behavioral signals (deployer fraud probability, behavioral honeypot flag) feed into the final aggregate.
- The aggregate maps the combined score to a verdict tier.
A module that returns n/a did not run - the feature it checks was not present in this contract. This is not the same as a pass.
Using Token Audit¶
Via the UI
Open chainaware.ai, select Token Audit from the Fraud Tech menu, choose a chain, paste a contract address, and click Audit.
Results are deep-linkable - share the URL directly:
https://chainaware.ai/audit/{chain}/{address}
Via the API
# Trigger an audit
POST /token-audit/{chain}/{address}/run
# Fetch results (poll until audit_status = "complete")
GET /token-audit/{chain}/{address}
Polling pattern: after triggering a run, poll GET every 1.5 seconds. Stop when audit_status is complete or error. Maximum 90 seconds.
Further Reading¶
- Web3 Trust Verification Systems in 2026
-
Verdicts - what each verdict means and how to act on it
- Modules - all 11 verification modules in detail
- Rug Pull Prevention - how Token Audit fits into a broader rug pull prevention strategy
- For AI Agents - Risk & Safety - using Token Audit inside autonomous agent pipelines