meme-coin-audit

Vendored note (this repo). Adapted from the standalone claude-bug-bounty project. The upstream executable scaffolding — helper scripts (tools/*.py, tools/*.sh), the standalone wordlists/ pipeline, and slash-commands (/recon, /hunt, /validate, /report, …) — is not bundled here: run tooling through the MCP server (run_tool / run_pipeline / run_script) and install via the project installer/registry. Any static deep-dive files this skill needs are vendored into its own references/ folder, and cross-skill references resolve by skill name (e.g. the bb-methodology skill). Some named tools may not be in tools_config.json yet — add them with the add-tool skill or install upstream.

MEME COIN & TOKEN SECURITY AUDIT

Fast-kill rug pull detection and deep token security analysis for EVM and Solana meme coins.

---

PRE-DIVE KILL SIGNALS

Check these BEFORE reading a single line of code. If any are true, skip the audit — the token is likely a rug or not worth the time.

Hard Kills (Skip Immediately)

• Contract not verified on Etherscan/Solscan → Cannot audit source = cannot trust
• Deployer wallet has history of rug pulls (check Etherscan deployer page)
• Token age < 1 hour AND no known team → Too early, wait for more data
• Mint authority retained (Solana) AND no cap → Infinite mint = certain rug
• Freeze authority retained (Solana) on meme coin → Honeypot confirmed
• Transfer hook present (Token-2022) with mutable hook program → Honeypot vector
• Permanent delegate extension (Token-2022) → Can steal all holder tokens

Soft Kills (Proceed with Extreme Caution)

• Top holder > 20% of supply (excluding DEX pools)
• LP not burned or locked in verified contract
• Contract is upgradeable / proxy with retained admin
• Less than $5K liquidity in the pool
• No social presence / anonymous deployer with no history

---

THE ONE RULE

"Check ALL authorities and owner functions. The retained authority IS the rug vector."

Every rug pull requires a privileged operation: mint, blacklist, fee change, LP removal, or authority abuse. If you find the privilege, you found the bug.

---

BUG CLASSES (8 TOKEN-SPECIFIC)

1. HIDDEN MINT / UNLIMITED SUPPLY

35% of meme coin rugs. Deployer mints tokens post-launch, dumps on LP.

Quick grep (EVM):

grep -rn "function mint\|_mint(\|_balances\[.*\] +=" src/ --include="*.sol" | grep -v "test\|lib\|node_modules"

Quick grep (Solana):

grep -rn "MintTo\|mint_to\|mint_authority" src/ --include="*.rs" | grep -v "test\|target"

Kill if: MAX_SUPPLY enforced in every mint path, or mint function removed entirely.

2. HONEYPOT / TRANSFER RESTRICTION

25% of meme coin scams. Buy works, sell blocked.

Quick grep:

grep -rn "blacklist\|isBlacklisted\|_bots\|maxTxAmount\|approve.*override\|tradingEnabled" src/ --include="*.sol"

Solana equivalent:

grep -rn "freeze_authority\|transfer_hook\|TransferHook\|permanent_delegate" src/ --include="*.rs"

Kill if: No blacklist mapping, no transfer hooks, no freeze authority.

3. FEE MANIPULATION

20% of rugs. Sell fee set to 99% after initial buys.

Quick grep:

grep -rn "setFee\|setSellFee\|_taxFee\|_sellFee" src/ --include="*.sol"
grep -rn "function set.*Fee" -A5 src/ --include="*.sol" | grep -v "require\|MAX\|<="

Kill if: Fee setter has require(fee <= MAX_FEE) with MAX_FEE <= 10%.

4. LIQUIDITY POOL DRAIN

LP removal, migration, or manipulation to crash price.

Quick grep:

grep -rn "migrateLP\|emergencyWithdraw\|\.sync()\|setPair\|setRouter" src/ --include="*.sol"

Kill if: LP tokens burned to dead address, no migration function, no pair setter.

5. BONDING CURVE MANIPULATION

Exploits in pump.fun-style bonding curves.

Quick grep:

grep -rn "virtualReserve\|setCurve\|graduate\|bonding_curve" src/ --include="*.sol" --include="*.rs"

Kill if: Curve parameters immutable, graduation permissionless.

6. AUTHORITY RETENTION (SOLANA)

Retained mint/freeze/update authorities on Solana tokens.

Quick grep:

grep -rn "mint_authority\|freeze_authority\|update_authority\|close_authority" src/ --include="*.rs"
grep -rn "set_authority.*None" src/ --include="*.rs"  # Good sign: revocation

Kill if: All authorities = None, verified on-chain.

7. FAKE RENOUNCE / HIDDEN OWNERSHIP

Ownership appears renounced but backdoor control retained.

Quick grep:

grep -rn "renounceOwnership.*override\|_shadowAdmin\|_backupOwner\|selfdestruct" src/ --include="*.sol"

Kill if: renounceOwnership NOT overridden, no second admin role, no selfdestruct.

8. SANDWICH AMPLIFICATION BY DESIGN

Contract makes holders maximally sandwichable.

Quick grep:

grep -rn "swapExactTokensForETH" -A5 src/ --include="*.sol" | grep "0,"
grep -rn "swapThreshold\|_rebase\|mandatoryPool" src/ --include="*.sol"

Kill if: Auto-swap has proper slippage, no rebase mechanics.

---

AUTOMATED SCANNER

The upstream token_scanner.py is not bundled here. For fast red-flag detection, drive the grep patterns from this skill (and the deep-dives in references/) through MCP — run_pipeline over the contract source, or run_script for the EVM/Solana checks below:

# EVM red flags (hidden mint / fee manipulation / blacklist / owner-only transfer)
run_tool("grep", "-nEi '(_mint|setFee|blacklist|onlyOwner.*transfer|pause)' contracts/Token.sol")

# Solana SPL authorities (mint/freeze authority not renounced)
run_tool("grep", "-rnEi '(mint_authority|freeze_authority|set_authority)' programs/token/")

See references/10-meme-coin-bugs.md, references/11-solana-token-audit.md, and references/12-dex-lp-attacks.md for the full class-by-class checks.

The scanner checks all 8 bug classes via regex patterns. It catches:

• Direct mint/balance manipulation
• Blacklist and transfer restriction patterns
• Unbounded fee setters
• LP migration and emergency withdraw functions
• Fake renounce overrides
• Zero slippage auto-swaps
• All Solana authority patterns
• Token-2022 dangerous extensions

Scanner does NOT check:

• On-chain state (use Etherscan/Solscan for authority verification)
• Holder distribution (use DEXTools/Birdeye)
• LP lock status (use Unicrypt/PinkLock/Solscan)
• Deployer wallet history (manual check)

---

FOUNDRY POC TEMPLATE (TOKEN EXPLOITS)

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import "forge-std/Test.sol";
import "../src/Token.sol";

contract TokenExploitTest is Test {
    Token token;
    address owner = makeAddr("owner");
    address victim = makeAddr("victim");
    address attacker = makeAddr("attacker");

    // Uniswap V2 router (mainnet fork)
    address constant ROUTER = 0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D;
    address constant WETH = 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2;

    function setUp() public {
        vm.createSelectFork("mainnet");
        // Deploy token as owner
        vm.startPrank(owner);
        token = new Token();
        // Add liquidity...
        vm.stopPrank();
    }

    function test_hiddenMint_rug() public {
        // Step 1: Victim buys tokens
        vm.startPrank(victim);
        // ... buy tokens on Uniswap
        vm.stopPrank();

        // Step 2: Owner mints and dumps
        vm.startPrank(owner);
        uint256 supplyBefore = token.totalSupply();
        token.mint(owner, 1_000_000_000e18);
        assertGt(token.totalSupply(), supplyBefore, "Supply should increase");
        // ... sell minted tokens
        vm.stopPrank();

        // Step 3: Victim's tokens are now worthless
        // Assert token price crashed
    }

    function test_honeypot_blacklist() public {
        // Step 1: Victim buys
        vm.startPrank(victim);
        // ... buy tokens
        vm.stopPrank();

        // Step 2: Owner blacklists victim
        vm.startPrank(owner);
        token.blacklist(victim);
        vm.stopPrank();

        // Step 3: Victim cannot sell
        vm.startPrank(victim);
        vm.expectRevert("Blacklisted");
        token.transfer(address(1), 100e18);
        vm.stopPrank();
    }

    function test_fee_manipulation_rug() public {
        // Step 1: Verify initial fee is low
        assertEq(token.sellFee(), 3); // 3%

        // Step 2: Owner sets fee to 99%
        vm.prank(owner);
        token.setFees(3, 99); // Buy 3%, Sell 99%

        // Step 3: Victim sells — loses 99% to fees
        vm.startPrank(victim);
        uint256 balanceBefore = address(victim).balance;
        // ... sell tokens
        // Assert: received almost nothing
        vm.stopPrank();
    }
}

---

SOLANA QUICK CHECKS (NO SOURCE CODE NEEDED)

When you don't have source code, check on-chain:

1. MINT AUTHORITY → solana account <MINT> --output json | check mint_authority
   - Should be null
   - If Some(pubkey) → CRITICAL: can mint infinite tokens

2. FREEZE AUTHORITY → same as above, check freeze_authority
   - Should be null
   - If Some(pubkey) → CRITICAL: honeypot

3. LP STATUS → Check Raydium/Orca pool
   - LP burned? (tokens sent to 1111...1111)
   - LP locked? (in verified locker with no backdoor)
   - LP held by deployer? → CRITICAL: instant rug

4. TOP HOLDERS → Birdeye/Solscan holders tab
   - Top 10 < 30% of supply (excluding pools)
   - Creator wallets (check first transactions)

5. PROGRAM UPGRADEABILITY
   - Is the program upgradeable? → can change any logic
   - Upgrade authority should be None for immutable programs

6. TOKEN-2022 EXTENSIONS
   - Any transfer hook? → potential honeypot
   - Permanent delegate? → CRITICAL

---

FULL REFERENCE FILES

For deep dives into specific areas (vendored into this skill's references/):

• references/10-meme-coin-bugs.md — All 8 bug classes with full code examples and variants
• references/11-solana-token-audit.md — Solana-specific: SPL authorities, Token-2022, pump.fun, Raydium, Jupiter
• references/12-dex-lp-attacks.md — DEX & LP manipulation patterns (sandwich, pool sniping, CL position attacks)