shuvonsec/meme-coin-audit
skills/meme-coin-audit/SKILL.md
Meme coin and token security audit — rug pull detection (honeypot, hidden mint, fee manipulation, LP lock bypass), Solana SPL token analysis (freeze authority, mint authority, metadata mutability), Token-2022 extension risks (transfer hooks, permanent delegate), DEX liquidity pool attacks (sandwich amplification, LP drain, bonding curve exploits), pump.fun/Raydium/Jupiter integration risks, token_scanner.py automation, and real exploit examples from 2024-2025. Use for any token audit, rug pull assessment, meme coin security review, or pre-investment due diligence.
$ install --global
skillsauthnpx skillsauth add shuvonsec/claude-bug-bounty meme-coin-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 14, 2026, 2:03 AM54.2s1 file scanned
SKILL.md
- name:
- meme-coin-audit
- description:
- Meme coin and token security audit — rug pull detection (honeypot, hidden mint, fee manipulation, LP lock bypass), Solana SPL token analysis (freeze authority, mint authority, metadata mutability), Token-2022 extension risks (transfer hooks, permanent delegate), DEX liquidity pool attacks (sandwich amplification, LP drain, bonding curve exploits), pump.fun/Raydium/Jupiter integration risks, token_scanner.py automation, and real exploit examples from 2024-2025. Use for any token audit, rug pull assessment, meme coin security review, or pre-investment due diligence.
MEME COIN & TOKEN SECURITY AUDIT
Fast-kill rug pull detection and deep token security analysis for EVM and Solana meme coins.
PRE-DIVE KILL SIGNALS
Check these BEFORE reading a single line of code. If any are true, skip the audit — the token is likely a rug or not worth the time.
Hard Kills (Skip Immediately)
- Contract not verified on Etherscan/Solscan → Cannot audit source = cannot trust
- Deployer wallet has history of rug pulls (check Etherscan deployer page)
- Token age < 1 hour AND no known team → Too early, wait for more data
- Mint authority retained (Solana) AND no cap → Infinite mint = certain rug
- Freeze authority retained (Solana) on meme coin → Honeypot confirmed
- Transfer hook present (Token-2022) with mutable hook program → Honeypot vector
- Permanent delegate extension (Token-2022) → Can steal all holder tokens
Soft Kills (Proceed with Extreme Caution)
- Top holder > 20% of supply (excluding DEX pools)
- LP not burned or locked in verified contract
- Contract is upgradeable / proxy with retained admin
- Less than $5K liquidity in the pool
- No social presence / anonymous deployer with no history
THE ONE RULE
"Check ALL authorities and owner functions. The retained authority IS the rug vector."
Every rug pull requires a privileged operation: mint, blacklist, fee change, LP removal, or authority abuse. If you find the privilege, you found the bug.
BUG CLASSES (8 TOKEN-SPECIFIC)
1. HIDDEN MINT / UNLIMITED SUPPLY
35% of meme coin rugs. Deployer mints tokens post-launch, dumps on LP.
Quick grep (EVM):
grep -rn "function mint\|_mint(\|_balances\[.*\] +=" src/ --include="*.sol" | grep -v "test\|lib\|node_modules"
Quick grep (Solana):
grep -rn "MintTo\|mint_to\|mint_authority" src/ --include="*.rs" | grep -v "test\|target"
Kill if: MAX_SUPPLY enforced in every mint path, or mint function removed entirely.
2. HONEYPOT / TRANSFER RESTRICTION
25% of meme coin scams. Buy works, sell blocked.
Quick grep:
grep -rn "blacklist\|isBlacklisted\|_bots\|maxTxAmount\|approve.*override\|tradingEnabled" src/ --include="*.sol"
Solana equivalent:
grep -rn "freeze_authority\|transfer_hook\|TransferHook\|permanent_delegate" src/ --include="*.rs"
Kill if: No blacklist mapping, no transfer hooks, no freeze authority.
3. FEE MANIPULATION
20% of rugs. Sell fee set to 99% after initial buys.
Quick grep:
grep -rn "setFee\|setSellFee\|_taxFee\|_sellFee" src/ --include="*.sol"
grep -rn "function set.*Fee" -A5 src/ --include="*.sol" | grep -v "require\|MAX\|<="
Kill if: Fee setter has require(fee <= MAX_FEE) with MAX_FEE <= 10%.
4. LIQUIDITY POOL DRAIN
LP removal, migration, or manipulation to crash price.
Quick grep:
grep -rn "migrateLP\|emergencyWithdraw\|\.sync()\|setPair\|setRouter" src/ --include="*.sol"
Kill if: LP tokens burned to dead address, no migration function, no pair setter.
5. BONDING CURVE MANIPULATION
Exploits in pump.fun-style bonding curves.
Quick grep:
grep -rn "virtualReserve\|setCurve\|graduate\|bonding_curve" src/ --include="*.sol" --include="*.rs"
Kill if: Curve parameters immutable, graduation permissionless.
6. AUTHORITY RETENTION (SOLANA)
Retained mint/freeze/update authorities on Solana tokens.
Quick grep:
grep -rn "mint_authority\|freeze_authority\|update_authority\|close_authority" src/ --include="*.rs"
grep -rn "set_authority.*None" src/ --include="*.rs" # Good sign: revocation
Kill if: All authorities = None, verified on-chain.
7. FAKE RENOUNCE / HIDDEN OWNERSHIP
Ownership appears renounced but backdoor control retained.
Quick grep:
grep -rn "renounceOwnership.*override\|_shadowAdmin\|_backupOwner\|selfdestruct" src/ --include="*.sol"
Kill if: renounceOwnership NOT overridden, no second admin role, no selfdestruct.
8. SANDWICH AMPLIFICATION BY DESIGN
Contract makes holders maximally sandwichable.
Quick grep:
grep -rn "swapExactTokensForETH" -A5 src/ --include="*.sol" | grep "0,"
grep -rn "swapThreshold\|_rebase\|mandatoryPool" src/ --include="*.sol"
Kill if: Auto-swap has proper slippage, no rebase mechanics.
AUTOMATED SCANNER
Run the token scanner tool for fast red flag detection:
# EVM token
python3 tools/token_scanner.py contracts/Token.sol
# Solana program
python3 tools/token_scanner.py programs/token/ --chain solana --recursive
# Full directory scan with report
python3 tools/token_scanner.py src/ --recursive --output findings/token-report.md
The scanner checks all 8 bug classes via regex patterns. It catches:
- Direct mint/balance manipulation
- Blacklist and transfer restriction patterns
- Unbounded fee setters
- LP migration and emergency withdraw functions
- Fake renounce overrides
- Zero slippage auto-swaps
- All Solana authority patterns
- Token-2022 dangerous extensions
Scanner does NOT check:
- On-chain state (use Etherscan/Solscan for authority verification)
- Holder distribution (use DEXTools/Birdeye)
- LP lock status (use Unicrypt/PinkLock/Solscan)
- Deployer wallet history (manual check)
FOUNDRY POC TEMPLATE (TOKEN EXPLOITS)
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "forge-std/Test.sol";
import "../src/Token.sol";
contract TokenExploitTest is Test {
Token token;
address owner = makeAddr("owner");
address victim = makeAddr("victim");
address attacker = makeAddr("attacker");
// Uniswap V2 router (mainnet fork)
address constant ROUTER = 0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D;
address constant WETH = 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2;
function setUp() public {
vm.createSelectFork("mainnet");
// Deploy token as owner
vm.startPrank(owner);
token = new Token();
// Add liquidity...
vm.stopPrank();
}
function test_hiddenMint_rug() public {
// Step 1: Victim buys tokens
vm.startPrank(victim);
// ... buy tokens on Uniswap
vm.stopPrank();
// Step 2: Owner mints and dumps
vm.startPrank(owner);
uint256 supplyBefore = token.totalSupply();
token.mint(owner, 1_000_000_000e18);
assertGt(token.totalSupply(), supplyBefore, "Supply should increase");
// ... sell minted tokens
vm.stopPrank();
// Step 3: Victim's tokens are now worthless
// Assert token price crashed
}
function test_honeypot_blacklist() public {
// Step 1: Victim buys
vm.startPrank(victim);
// ... buy tokens
vm.stopPrank();
// Step 2: Owner blacklists victim
vm.startPrank(owner);
token.blacklist(victim);
vm.stopPrank();
// Step 3: Victim cannot sell
vm.startPrank(victim);
vm.expectRevert("Blacklisted");
token.transfer(address(1), 100e18);
vm.stopPrank();
}
function test_fee_manipulation_rug() public {
// Step 1: Verify initial fee is low
assertEq(token.sellFee(), 3); // 3%
// Step 2: Owner sets fee to 99%
vm.prank(owner);
token.setFees(3, 99); // Buy 3%, Sell 99%
// Step 3: Victim sells — loses 99% to fees
vm.startPrank(victim);
uint256 balanceBefore = address(victim).balance;
// ... sell tokens
// Assert: received almost nothing
vm.stopPrank();
}
}
SOLANA QUICK CHECKS (NO SOURCE CODE NEEDED)
When you don't have source code, check on-chain:
1. MINT AUTHORITY → solana account <MINT> --output json | check mint_authority
- Should be null
- If Some(pubkey) → CRITICAL: can mint infinite tokens
2. FREEZE AUTHORITY → same as above, check freeze_authority
- Should be null
- If Some(pubkey) → CRITICAL: honeypot
3. LP STATUS → Check Raydium/Orca pool
- LP burned? (tokens sent to 1111...1111)
- LP locked? (in verified locker with no backdoor)
- LP held by deployer? → CRITICAL: instant rug
4. TOP HOLDERS → Birdeye/Solscan holders tab
- Top 10 < 30% of supply (excluding pools)
- Creator wallets (check first transactions)
5. PROGRAM UPGRADEABILITY
- Is the program upgradeable? → can change any logic
- Upgrade authority should be None for immutable programs
6. TOKEN-2022 EXTENSIONS
- Any transfer hook? → potential honeypot
- Permanent delegate? → CRITICAL
FULL REFERENCE FILES
For deep dives into specific areas:
web3/10-meme-coin-bugs.md— All 8 bug classes with full code examples and variantsweb3/11-solana-token-audit.md— Solana-specific: SPL authorities, Token-2022, pump.fun, Raydium, Jupiterweb3/12-dex-lp-attacks.md— DEX & LP manipulation patterns (sandwich, pool sniping, CL position attacks)
Related Skills
shuvonsec/bug-bounty
tools
VerifiedTrustedCommunity
Complete bug bounty workflow — recon (subdomain enumeration, asset discovery, fingerprinting, HackerOne scope, source code audit), pre-hunt learning (disclosed reports, tech stack research, mind maps, threat modeling), vulnerability hunting (IDOR, SSRF, XSS, auth bypass, CSRF, race conditions, SQLi, XXE, file upload, business logic, GraphQL, HTTP smuggling, cache poisoning, OAuth, timing side-channels, OIDC, SSTI, subdomain takeover, cloud misconfig, ATO chains, agentic AI), LLM/AI security testing (chatbot IDOR, prompt injection, indirect injection, ASCII smuggling, exfil channels, RCE via code tools, system prompt extraction, ASI01-ASI10), A-to-B bug chaining (IDOR→auth bypass, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth), bypass tables (SSRF IP bypass, open redirect bypass, file upload bypass), language-specific grep (JS prototype pollution, Python pickle, PHP type juggling, Go template.HTML, Ruby YAML.load, Rust unwrap), and reporting (7-Question Gate, 4 validation gates, human-tone writing, templates by vuln class, CVSS 3.1, PoC generation, always-rejected list, conditional chain table, submission checklist). Use for ANY bug bounty task — starting a new target, doing recon, hunting specific vulns, auditing source code, testing AI features, validating findings, or writing reports. 中文触发词:漏洞赏金、安全测试、渗透测试、漏洞挖掘、信息收集、子域名枚举、XSS测试、SQL注入、SSRF、安全审计、漏洞报告
2,777SKILL.mdUpdated Apr 19, 2026
shuvonsec/web2-vuln-classes
tools
VerifiedTrustedCommunity
Complete reference for 22 web2 bug classes with root causes, detection patterns, bypass tables, exploit techniques, and real paid examples. Covers IDOR, auth bypass, XSS, SSRF (11 IP bypass techniques), SQLi, business logic, race conditions, OAuth/OIDC, file upload (10 bypass techniques), GraphQL, LLM/AI (ASI01-ASI10 agentic framework), API misconfig (mass assignment, JWT attacks, prototype pollution, CORS), ATO taxonomy (9 paths), SSTI (Jinja2/Twig/Freemarker/ERB/Spring), subdomain takeover, cloud/infra misconfigs, HTTP smuggling (CL.TE/TE.CL/H2.CL), cache poisoning, MFA bypass (7 patterns), SAML attacks (XSW/comment injection/signature stripping), error disclosure / debug endpoints (stack trace regex per framework, chain templates), CSS injection (attribute-selector exfiltration, opacity clickjacking, @import). Use when hunting a specific vuln class or studying what makes bugs pay.
2,777SKILL.mdUpdated Apr 14, 2026
shuvonsec/web2-recon
development
VerifiedTrustedCommunity
Web2 recon pipeline — subdomain enumeration (subfinder, Chaos API, assetfinder), live host discovery (dnsx, httpx), URL crawling (katana, waybackurls, gau), directory fuzzing (ffuf), JS analysis (LinkFinder, SecretFinder), continuous monitoring (new subdomain alerts, JS change detection, GitHub commit watch). Use when starting recon on any web2 target or when asked about asset discovery, subdomain enum, or attack surface mapping.
2,777SKILL.mdUpdated Apr 14, 2026
shuvonsec/triage-validation
testing
VerifiedTrustedCommunity
Finding validation before writing any report — 7-Question Gate (all 7 questions), 4 pre-submission gates, always-rejected list, conditionally valid with chain table, CVSS 3.1 quick reference, severity decision guide, report title formula, 60-second pre-submit checklist. Use BEFORE writing any report. One wrong answer = kill the finding and move on. Saves N/A ratio.
2,777SKILL.mdUpdated Apr 14, 2026