Memecoins have become a central topic in the cryptocurrency market and blockchain ecosystem. Since early 2024, numerous memecoins and memecoin launch platforms, such as Pump.Fun, have rapidly gained popularity within the Solana ecosystem, attracting a large number of users to participate in launching and trading various memecoins. Other blockchain ecosystems have also seen heated memecoin trading activity. For instance, SunPump on the TRON ecosystem achieved $1 million in net profit within just two weeks, while BNB Chain launched its "Meme Innovation Battle Round 3."
As the memecoin frenzy continues, users must remain vigilant about various potential security risks. Beosin has previously conducted detailed analyses of the security of memecoin launch platforms, issuing early warnings about centralized risks associated with platforms like Dexx and auditing multiple memecoin launch platforms, including Tokr.fun, Pumpup, and Pump404.
Today, we will analyze common risks and malicious practices associated with memecoins from a security perspective. Our goal is to help everyday users develop the skills needed to identify these risks and avoid financial losses.
Understanding Centralization Risks
Recent events, such as the Dexx incident, have highlighted the risks associated with centralized platforms. In this section, we will examine Pump.Fun, currently the largest memecoin launch platform:
Through on-chain transactions, we can identify Pump.Fun's core contract address: 6EF8rrecthR5Dkzon8Nwu78hRvfCKubJ14M5uBEwF6P. This contract code is not open source and is controlled by a multi-signature address (7gZufwwAo17y5kg8FMyJy2phgpvv9RSdzWtdXiWHjFr8).
However, upon closer inspection, this multi-signature address is actually controlled by a single address (4zJkeipCFGvfcJvKm4TY57ED9uEdL3sBRvs8TPdZKG5Q), introducing a single point of failure risk.
On May 17, due to an operational issue, one of Pump.Fun's private keys was compromised, resulting in a loss of $1.9 million. This incident underscores the importance of robust private key management and the proper implementation of multi-signature mechanisms to prevent single points of failure.
When launching a memecoin on Pump.Fun, users need to mint tokens using $SOL in the "internal pool." During this process, the token price is determined by a Bonding Curve. For each memecoin, Pump.Fun creates a corresponding Bonding Curve program with the following data fields:
The total token supply (tokenTotalSupply) is set to 1 billion. Parameters such as virtualSolReserves, virtualTokenReserves, realTokenReserves, and realSolReserves are used as AMM parameters to calculate the token price. When other users have minted 800 million tokens in the "internal pool," the complete field becomes true, and the memecoin becomes publicly tradable in a liquidity pool created on Raydium.
Examining the contract data of any memecoin launched by Pump.Fun reveals that the update authority's privileged address is the Pump.fun Token Mint Authority (TSLvdd1pWpHVjahSpsvCXUbgwsL3JAcvokwaKt1eokM), which is responsible for token minting. The mint field corresponds to the memecoin contract address and token information.
These memecoin contracts lack token extension functionalities and are the simplest form of SPL tokens.
Therefore, when users participate in memecoin trading, there are no privileged addresses that can exploit token extension features (such as Permanent Delegate or TransferFee) to carry out malicious activities, thus helping to protect users from losses.
Case Study: The $Cheems Controversy
On November 25, Binance announced the listing of the $Cheems contract. The price of $Cheems surged by 35% in less than a minute before plummeting over 60%, sparking significant controversy within the community.
Through on-chain analysis of $Cheems token transactions, a key selling address was identified: 0xbb8365B1BA2462ffDce9C894Ada84478f474Fefc. Analysis of this address using Beosin KYT yielded the following results:
On November 25, this address sold 33.12 billion $Cheems tokens within one minute via Pancakeswap and the OKX DEX aggregator, obtaining 406.21 $BNB, all of which were subsequently deposited into Binance.
While many users suspected that this address might be involved in "insider trading," it could also be a "smart money" address that engaged in multiple buying and selling operations:
- Starting on November 18, the address began accumulating $Cheems and continuously sold during the process. On November 18, the address initially purchased approximately 13.1 billion $Cheems and sold 4.13 billion $Cheems four hours later.
- On November 21, the address also withdrew 37.95 billion $Cheems from the Gate.io exchange and sold 17.58 billion $Cheems on-chain two hours later.
- On November 22 and 23, the address conducted significant buying and partial selling operations.
The overall fund flow is illustrated below:
Addresses related to this incident include:
0xbb8365b1ba2462ffdce9c894ada84478f474fefc0x0d0707963952f2fba59dd06f2b425ace40b492fe0xbff62cee932fe7496a88c9193e9ba3fd5eeff46d
Beyond platform risks and on-chain PVP, users trading memecoins may also encounter "honeypot" scams. Beosin has previously used case studies to help users understand such scams and preventive measures. Below is a more comprehensive summary of memecoin-related scams:
Fake Tokens
With numerous new memecoins launched daily, it may seem like opportunities for wealth are everywhere. In reality, countless imitation projects emerge, making it challenging for users to distinguish which tokens are genuinely tradable.
Many memecoin deployers replicate the names and logos of popular projects, creating token contracts with identical names. Without carefully verifying the token's contract address, users might accidentally invest in imitation projects, which could be scam platforms or honeypot contracts, resulting in an inability to sell their tokens.
Furthermore, disputes within the crypto community and among token issuers regarding memecoin capitalization often lead to significant price volatility. Recent controversies and price fluctuations between $NEIRO and $neiro, as well as $ELIZA and $eliza, highlight the extreme risks associated with memecoins. Users need to research relevant memecoin information, consider community feedback, and remain cautious of market manipulation through news by project teams.
Restricted Selling
When purchasing memecoins, users might encounter honeypot scams where the bought tokens cannot be sold or are difficult to sell. Below are common methods scammers use to restrict token sales through contract code:
(1) Blacklist/Whitelist
Token issuers can implement blacklist/whitelist functionalities within the token contract to restrict token transactions. For example, if a user's address is added to a blacklist, they may be unable to call the transfer() or transferFrom() functions to transfer tokens.
(2) Balance Manipulation
Token issuers can also manipulate users' token balances through smart contracts, setting them to extremely low values. If balance updates are only recorded internally within the contract, victims might still see their token holdings on a blockchain explorer but be unable to sell beyond the amount recorded by the contract. If balance updates occur on-chain, users will notice their purchased memecoins reduced or even zeroed out. Below is a Solidity code example that sets the balance of a blacklisted address to zero:
Beyond the EVM ecosystem, Solana has a similar functionality for modifying balances—the Token Program's Permanent Delegate extension:
Permanent Delegate is an official token functionality extension on Solana, allowing an administrator to transfer or burn tokens at any time. It is designed for specific scenarios, such as token回收 and stablecoin regulation. When creating a token, the creator can use the createInitializePermanentDelegateInstruction instruction to initialize the Permanent Delegate.
Due to the excessive permissions granted to the Permanent Delegate, some hackers exploit this extension to issue tokens, attract users to purchase them, and then profit by burning or transferring the tokens:
(3) Trading Thresholds
After purchasing certain memecoins, users might find themselves unable to sell because the contract imposes strict selling thresholds: users must hold more than a set amount of tokens (far exceeding their actual holdings) to sell, or they are required to pay high transaction taxes.
The following code example demonstrates how contract developers can set transaction taxes by altering the amountToBurn parameter. When this parameter is set to 2, 50% of the tokens involved in a user's transaction will be deducted.
Solana's token extension also features a TransferFee functionality, used to charge a fee for each token transaction. Configuring TransferFee requires setting the following fields:
- Fee in basis points: The fee charged per transfer, measured in basis points.
- Maximum fee: The upper limit for transfer fees.
- Transfer fee authority: The address authorized to modify the TransferFee.
- Withdraw withheld authority: The address authorized to transfer withheld tokens from a token account.
Since there is a cap on transfer fees, implementing "honeypot" schemes through transaction taxes is less common on Solana. Users are more likely to suffer losses through token transfers or burns.
(4) Trading Suspension
Token issuers can control the contract's state through pause state functionality within the contract to restrict token transactions. Once the contract enters a paused state, its transfer functions become unusable, preventing users from trading.
For example, in the following Solidity code, the transfer function will only call _update to update user balances if the contract is not in a paused state:
(5) Minimum Holding Time
After purchasing memecoins, users might be required to hold them for a minimum period before they can trade again. However, this time is set by the token issuer and can be arbitrarily modified. Issuers can set the minimum holding time to an excessively large value, rendering users unable to trade.
In the following Solidity code example, a transfer can only be completed if the current transaction time is greater than or equal to the sum of the user's last update time and the delay time set by the contract:
Unique Fee Structures
After purchasing memecoins, users typically are not charged fees when trading with other users. However, when selling through a DEX (like Uniswap), fees are incurred. Additionally, returns from providing liquidity or participating in staking can be affected.
For example, in the following Solidity code example, a fee is only charged on token transactions when the recipient address (to) is a contract address:
Alternatively, fees might not be deducted from the transfer amount but instead reduce the sender's balance additionally. If not handled properly, this method can severely impact prices on DEXs and lead to the token's value plummeting to zero.
Token Minting (Inflation)
Token minting is a common method for executing Rug Pulls. Since the owner of the token contract or addresses with privileged permissions have minting authority, they can mint additional tokens and sell them for profit. This is a prevalent潜在 risk in EVM ecosystems, Solana, and TON. Below is an example of a minting function from a Jetton token on TON, which features an inflationary mechanism:
Centralized Token Distribution
The issue of centralized token distribution is a common risk in blockchain projects. When a significant portion of the token supply is controlled by the project team, they can influence key decisions in on-chain governance through token voting or manipulate market prices through large-scale transactions, impacting user assets.
As shown in the following Solidity code, when the token is deployed, the entire token supply is allocated to the contract deployer:
Proxy Upgrade Patterns
The proxy upgrade pattern used in token contracts is a common smart contract design pattern. This pattern allows for logic upgrades through a proxy contract without altering the data structure of the storage contract. While this pattern offers flexibility, it also introduces potential risks and harms. Token issuers can arbitrarily change the contract logic, leading to loss or theft of token holders' assets.
As shown in the following Solidity code, the contract's Admin can modify the address of the contract implementation. If changed to an incorrect or even malicious contract, it could result in loss or theft of user assets:
How to Avoid Scams?
Amid the memecoin frenzy, various scams continue to emerge. Without due caution, users are highly likely to fall victim to these scams and suffer financial losses. Therefore, the Beosin security team recommends that users pay attention to the following points:
- Adopt a rational perspective on the get-rich-quick allure of memecoins and the influence of KOL promotions. After new tokens are listed on DEXs, users should remain rational, avoid FOMO (fear of missing out) mentality, and refrain from blindly following trends.
- Do not readily trust "insider information" or "confidential tips." These are often scams designed to lure users into risky investments without proper information screening and research.
Before purchasing any token, users should check the following key points:
- Is the token contract open source?
- Are there audit reports available?
- Does a blacklist/whitelist mechanism exist?
- Are there transaction taxes? How are they charged?
- Is there a pause mechanism?
- Are there special mechanisms restricting trading volume, minimum holding amount, or minimum holding time?
- Do the contract owners have excessively high permissions?
- Does the contract use a proxy pattern?
- How are the owner permissions managed? Is multi-signature implemented or have they been renounced?
Beosin has conducted detailed security audits on multiple memecoin launch platforms and token contracts (including Tokr.fun, Pumpup, and Pump404) to ensure the security of their contract code, the correctness of business implementation logic, and the safety of project and user funds.
- Refer to token contract detection items from trading platforms and risk monitoring tools. Utilizing this information can help users more accurately identify scams. Before trading, consult the detection results from multiple security tools. 👉 Explore advanced security tools for real-time risk assessment
Commonly used risk detection tools include:
- Honeypot.is
- Token Sniffer
- GoPlus Token Security
- De.Fi Scanner
- Beosin Alert
Frequently Asked Questions
What is a memecoin?
A memecoin is a type of cryptocurrency inspired by internet memes or jokes. Unlike traditional cryptocurrencies that often have utility or represent a share in a project, memecoins primarily derive their value from community engagement, social media trends, and speculative trading.
How can I verify if a memecoin contract is legitimate?
Always check the official contract address from the project's verified website or social media channels. Use blockchain explorers to review the contract code, if open source, and look for audit reports from reputable security firms. Avoid contracts that are not verified or have no visible audit history.
What does "rug pull" mean in the context of memecoins?
A rug pull occurs when the developers of a project abandon it and withdraw all the funds from the liquidity pool, causing the token's value to crash dramatically. This is often executed by malicious actors who have control over the contract or the liquidity.
Are there any safe practices for trading memecoins?
Yes, always conduct thorough research (DYOR), invest only what you can afford to lose, use reputable exchanges and DEXs, enable all security features on your wallets, and consider using risk detection tools to scan tokens before purchasing.
Why is contract auditing important for memecoins?
Audits by reputable firms help identify vulnerabilities, malicious code, or potential scams within a token's smart contract. They provide an additional layer of confidence that the project has been reviewed for common security issues and best practices.
Can I recover funds lost to a memecoin scam?
Unfortunately, due to the irreversible nature of most blockchain transactions, recovering funds lost to scams is extremely difficult. This underscores the critical importance of preventive measures and thorough checks before investing.
Conclusion
This article has summarized common methods associated with memecoin scams. It is evident that while memecoins present opportunities and possibilities, they are also accompanied by various pitfalls. When engaging in memecoin trading, users must maintain high vigilance and exercise caution to reduce the risk of financial loss. In the Web3 world, safety should always be the top priority.