meme-coin-audit
Meme-coin-audit is a comprehensive security scanner for EVM and Solana tokens that detects rug pulls, honeypots, hidden mints, fee manipulation, and authority abuses. Use it before investing in or auditing meme coins, analyzing pump.fun or Raydium tokens, or performing pre-purchase due diligence on any new token project.
git clone --depth 1 https://github.com/elementalsouls/Claude-BugHunter /tmp/meme-coin-audit && cp -r /tmp/meme-coin-audit/skills/meme-coin-audit ~/.claude/skills/meme-coin-auditSKILL.md
# MEME COIN & TOKEN SECURITY AUDIT
Fast-kill rug pull detection and deep token security analysis for EVM and Solana meme coins.
---
## PRE-DIVE KILL SIGNALS
Check these BEFORE reading a single line of code. If any are true, skip the audit — the token is likely a rug or not worth the time.
### Hard Kills (Skip Immediately)
- **Contract not verified** on Etherscan/Solscan → Cannot audit source = cannot trust
- **Deployer wallet** has history of rug pulls (check Etherscan deployer page)
- **Token age < 1 hour** AND no known team → Too early, wait for more data
- **Mint authority retained** (Solana) AND no cap → Infinite mint = certain rug
- **Freeze authority retained** (Solana) on meme coin → Honeypot confirmed
- **Transfer hook present** (Token-2022) with mutable hook program → Honeypot vector
- **Permanent delegate** extension (Token-2022) → Can steal all holder tokens
### Soft Kills (Proceed with Extreme Caution)
- Top holder > 20% of supply (excluding DEX pools)
- LP not burned or locked in verified contract
- Contract is upgradeable / proxy with retained admin
- Less than $5K liquidity in the pool
- No social presence / anonymous deployer with no history
---
## THE ONE RULE
> **"Check ALL authorities and owner functions. The retained authority IS the rug vector."**
>
> Every rug pull requires a privileged operation: mint, blacklist, fee change, LP removal, or authority abuse. If you find the privilege, you found the bug.
---
## BUG CLASSES (8 TOKEN-SPECIFIC)
### 1. HIDDEN MINT / UNLIMITED SUPPLY
> Common rug pattern. Deployer mints tokens post-launch, dumps on LP.
**Quick grep (EVM):**
```bash
grep -rn "function mint\|_mint(\|_balances\[.*\] +=" src/ --include="*.sol" | grep -v "test\|lib\|node_modules"
```
**Quick grep (Solana):**
```bash
grep -rn "MintTo\|mint_to\|mint_authority" src/ --include="*.rs" | grep -v "test\|target"
```
**Kill if:** MAX_SUPPLY enforced in every mint path, or mint function removed entirely.
### 2. HONEYPOT / TRANSFER RESTRICTION
> Common scam pattern. Buy works, sell blocked.
**Quick grep:**
```bash
grep -rn "blacklist\|isBlacklisted\|_bots\|maxTxAmount\|approve.*override\|tradingEnabled" src/ --include="*.sol"
```
**Solana equivalent:**
```bash
grep -rn "freeze_authority\|transfer_hook\|TransferHook\|permanent_delegate" src/ --include="*.rs"
```
**Kill if:** No blacklist mapping, no transfer hooks, no freeze authority.
### 3. FEE MANIPULATION
> Common rug pattern. Sell fee set to 99% after initial buys.
**Quick grep:**
```bash
grep -rn "setFee\|setSellFee\|_taxFee\|_sellFee" src/ --include="*.sol"
grep -rn "function set.*Fee" -A5 src/ --include="*.sol" | grep -v "require\|MAX\|<="
```
**Kill if:** Fee setter has `require(fee <= MAX_FEE)` with MAX_FEE <= 10%.
### 4. LIQUIDITY POOL DRAIN
> LP removal, migration, or manipulation to crash price.
**Quick grep:**
```bash
grep -rn "migrateLP\|emergencyWithdraw\|\.sync()\|setPair\|setRouter" src/ --include="*.sol"
```
**Kill if:** LP tokens burned to dead address, no migration function, no pair setter.
### 5. BONDING CURVE MANIPULATION
> Exploits in pump.fun-style bonding curves.
**Quick grep:**
```bash
grep -rn "virtualReserve\|setCurve\|graduate\|bonding_curve" src/ --include="*.sol" --include="*.rs"
```
**Kill if:** Curve parameters immutable, graduation permissionless.
### 6. AUTHORITY RETENTION (SOLANA)
> Retained mint/freeze/update authorities on Solana tokens.
**Quick grep:**
```bash
grep -rn "mint_authority\|freeze_authority\|update_authority\|close_authority" src/ --include="*.rs"
grep -rn "set_authority.*None" src/ --include="*.rs" # Good sign: revocation
```
**Kill if:** All authorities = None, verified on-chain.
### 7. FAKE RENOUNCE / HIDDEN OWNERSHIP
> Ownership appears renounced but backdoor control retained.
**Quick grep:**
```bash
grep -rn "renounceOwnership.*override\|_shadowAdmin\|_backupOwner\|selfdestruct" src/ --include="*.sol"
```
**Kill if:** renounceOwnership NOT overridden, no second admin role, no selfdestruct.
### 8. SANDWICH AMPLIFICATION BY DESIGN
> Contract makes holders maximally sandwichable.
**Quick grep:**
```bash
grep -rn "swapExactTokensForETH" -A5 src/ --include="*.sol" | grep "0,"
grep -rn "swapThreshold\|_rebase\|mandatoryPool" src/ --include="*.sol"
```
**Kill if:** Auto-swap has proper slippage, no rebase mechanics.
---
## FAST RED-FLAG SWEEP
Run the 8 bug-class greps above across the source tree for fast red-flag detection. Together they catch:
- Direct mint/balance manipulation
- Blacklist and transfer restriction patterns
- Unbounded fee setters
- LP migration and emergency withdraw functions
- Fake renounce overrides
- Zero slippage auto-swaps
- All Solana authority patterns
- Token-2022 dangerous extensions
**Source grep does NOT check** (verify these out-of-band):
- On-chain state (use Etherscan/Solscan for authority verification)
- Holder distribution (use DEXTools/Birdeye)
- LP lock status (use Unicrypt/PinkLock/Solscan)
- Deployer wallet history (manual check)
---
## FOUNDRY POC TEMPLATE (TOKEN EXPLOITS)
```solidity
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "forge-std/Test.sol";
import "../src/Token.sol";
contract TokenExploitTest is Test {
Token token;
address owner = makeAddr("owner");
address victim = makeAddr("victim");
address attacker = makeAddr("attacker");
// Uniswap V2 router (mainnet fork)
address constant ROUTER = 0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D;
address constant WETH = 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2;
function setUp() public {
vm.createSelectFork("mainnet");
// Deploy token as owner
vm.startPrank(owner);
token = new Token();
// Add liquidity...
vm.stopPrank();
}
function test_hiddenMint_rug() public {
// Step 1: Victim buys tokens
vm.startPrank(victim);
// ... buy tokens on Uniswap
vm.stopPrank();
// Step 2: Owner mints and dumpsRun autonomous hunt loop on a target — scope check → recon → rank surface → hunt → validate → report with configurable checkpoints. Usage: /autopilot target.com [--paranoid|--normal|--yolo]
Build an exploit chain — given bug A, finds B and C to combine for higher severity and payout. Knows common chain patterns: IDOR→ATO, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth. Usage: /chain
Active vulnerability hunting. Two-track dispatcher — asks Red Team vs WAPT, hands off to hunt-dispatch skill and sibling commands. Usage: /hunt target.com | /hunt *.target.com | /hunt targets.txt [--vuln-class X] [--source-code P] [--chrome]
On-demand intelligence fetch for a target — CVEs, disclosed reports, new features. Wraps learn.py + hunt memory context. Usage: /intel target.com
Inspect or rotate hunt-memory JSONL files (audit.jsonl, patterns.jsonl, journal.jsonl). Caps file size and keeps N rotated backups so memory does not grow unbounded.
Pick up a previous hunt on a target — shows hunt history, untested endpoints, and memory-informed suggestions. Usage: /pickup target.com
Run full recon pipeline on a target — subdomain enum (Chaos API + subfinder), live host discovery (dnsx + httpx), URL crawl (katana + waybackurls + gau), gf pattern classification, nuclei scan. Outputs to recon/<target>/ directory. Usage: /recon target.com
Log current finding or successful pattern to hunt memory. Auto-fills from /validate output if available. Usage: /remember