How to Verify a Smart Contract Onchain: Step-by-Step 2026

May 28, 2026 — By Whatsertrade in Tutorials

Learn how to verify a smart contract on Etherscan, BSCScan, and Solscan step by step. Source code, proxy detection, ownership and audit checks for 2026.

Security checklist: Before you swap, approve or bridge into any new token, verify the contract onchain. This guide walks through Etherscan, BscScan and Solscan with the exact checks that catch hidden mint functions, proxy traps and ownership red flags. If you only have five minutes, follow the steps in the walkthrough section.

Smart contracts run the money. A wallet signature is a legal-style instruction handed to code, so reading what that code does is not optional. The good news: the three biggest explorers expose almost everything you need, and the workflow repeats across chains once you learn the pattern.

SOURCE CODE PROXY OWNERSHIP HONEYPOT MINT FUNCTION

Magnifying lens hovering over a translucent smart contract code block with green verified checkmark, cinematic editorial illustration.

Scam tokens

~70%

of new launches flag risk

Avg rug loss

$2.8k

per affected wallet

Verify time

5 min

with this checklist

Quick answer

Verifying a smart contract means confirming the deployed bytecode matches public Solidity source on the explorer, then reading the code for ownership powers, mint functions, fees and proxies. Etherscan and BscScan share the same workflow; Solscan uses a different model because Solana programs are compiled BPF.

Why contract verification matters before you buy

A token on a DEX is just a contract address. The ticker, the logo and the Telegram are marketing. The contract is the only source of truth, and it controls whether you can sell, what fees apply, whether new supply can be minted and which wallet can pause everything.

Verification answers two questions. The procedural one: did the deployer publish source that compiles to the deployed bytecode. The editorial one: is the published code something you would agree to. You need both. A contract can be verified and still be malicious by design.

Etherscan verified source code: what the green check really means

Open Etherscan, paste the contract address and click the Contract tab. A green check next to Contract means Etherscan compiled the public Solidity and confirmed the bytecode matches what is deployed on mainnet.

Verification is necessary but not sufficient. It only proves the code you are about to read is the code that runs. It says nothing about whether the code is fair.

Rule of thumb

If a token contract is unverified on Etherscan and the team has had more than a week to publish source code, treat that as a hard pass for anything beyond a tiny exploratory position.

Inside the Contract tab you will find sub-tabs for Code, Read Contract and Write Contract. Code shows the Solidity. Read lists view functions queryable without gas. Write lists state-changing functions you can call through your wallet. Together they describe the contract's entire surface area.

Reading contract source: constructor, mint, owner and fee functions

You are not auditing line by line. You are skimming for the five things that decide whether the token is fair. Use search inside the Code tab for these keywords.

Check 1

Mint and burn powers

Search for mint, _mint, mintTo or burnFrom. If those exist and are guarded only by an owner role, supply can balloon at any time. Look for a final non-mintable token where these functions are absent or permanently disabled.

Check 2

Owner and admin roles

Search for Ownable, onlyOwner, AccessControl, hasRole or DEFAULT_ADMIN_ROLE. Map every powerful function back to the wallet that controls it. Then check that wallet onchain to see if it is a multisig, an EOA or renounced.

Check 3

Transfer fees and limits

Search for fee, tax, maxTx, maxWallet or transferFee. A token with adjustable fees can be pushed to 99% by the owner. A maxTx that is tighter than the typical buy size acts as a soft honeypot.

Check 4

Blacklists and pauses

Search for blacklist, isBlocked, pause or paused. These let the owner freeze specific wallets or the entire token. Some legitimate stablecoins use this. Random meme tokens usually do not need it.

Check 5

Constructor seeding

Read the constructor at the top of the file. It defines the initial supply and the wallet that receives it. A constructor that sends 100% of supply to one address is a concentration warning even if the rest of the code looks clean.

Detecting proxy contracts and EIP-1967 storage slots

Many modern tokens are proxy contracts. The address you interact with delegates calls to a separate implementation that an admin can swap. The logic you read today is not guaranteed to be the logic that runs tomorrow.

Etherscan flags this directly. On the Contract tab look for a banner saying This contract is a proxy. Etherscan reads the EIP-1967 storage slot at 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc to find the implementation address.

Why this matters

A proxy can be upgraded. If the upgrade key sits on a single hot wallet, the owner can replace the entire token logic with malicious code after liquidity is added. Always check who controls the proxy admin slot.

When you see a proxy, do two extra things. Read the implementation contract source rather than the proxy itself, since the proxy is mostly delegate logic. Then check the admin slot at 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 to identify the upgrade wallet. Renounced or zero-address admin is safest. Multisig is acceptable. A fresh EOA is a yellow flag.

Our proxy contract guide covers transparent versus UUPS proxies in depth.

BscScan workflow: similar surface, busier environment

BscScan mirrors Etherscan because both are built by the same team. Contract tab, Read and Write sub-tabs, the green check and the proxy detector all behave the same way. The chain is different; the verification workflow is identical.

What changes on BNB Chain is environment speed. Listings are faster, copy-cat tokens are more common, and low-effort contracts are higher. Expect to walk away from more BscScan checks than Etherscan checks. The bar is the same. The hit rate is different.

Step	Etherscan	BscScan
Search address	etherscan.io	bscscan.com
Verified flag	Green check on Contract tab	Green check on Contract tab
Proxy detection	EIP-1967 banner	EIP-1967 banner
Read functions	Read Contract tab	Read Contract tab
Holder concentration	Top 100 holders view	Top 100 holders view

If you already use Etherscan confidently, BscScan is the same playbook. Our BscScan tutorial covers the BNB Chain specifics including BEP-20 quirks and the most common copy-cat traps.

Solscan and Solana contract verification: a different paradigm

Solana does not use Solidity and does not store account state inside a contract. Programs compile to BPF bytecode and user balances live in token accounts owned by the SPL Token Program. That changes what verification means on Solscan.

You cannot read Solidity source because there is none. Instead you check three things: is the program upgradeable and who controls upgrades, what is the mint authority on the token account, and does a freeze authority still exist.

Mint authority

Should be null after launch. If it still points to a wallet, supply can grow.

Freeze authority

Should be null. If set, any holder balance can be frozen by that wallet.

Update authority

Metadata can be rewritten by this wallet. Renounced is the safe state.

Top holders

Discount LP pools and CEX wallets. What remains is your real distribution.

Solscan exposes all four on the token page. Null across the authority fields plus healthy distribution means the token is structurally safer. Any authority still active on a memecoin without justification is a question worth answering before sizing up.

Common red flags: hidden mint, blacklists and transfer fees

Most rugs do not require new exploits. They reuse the same patterns. Recognizing them on the explorer is most of the defense.

Red flag	Where to look	What it lets the owner do
Hidden mint	Code tab, search mint or _mint	Print more supply and dump on holders
Adjustable fees	Write Contract, setFee functions	Push sell fee to 99% so nobody can exit
Blacklist	Write Contract, blacklist or setBlocked	Freeze specific wallets from transferring
Active proxy admin	Etherscan proxy banner	Replace contract logic after liquidity adds
Single-owner LP	LP token holders page	Pull liquidity in one transaction
Active mint authority on Solana	Solscan Authorities section	Mint new tokens at any time

A single red flag is not always disqualifying. A combination usually is. Active mint plus adjustable fees plus a fresh EOA owner is the classic honeypot setup.

Tools that automate the checks: TokenSniffer, GoPlus, DEXTools audit

Manual explorer reading is the gold standard. Automated tools are the fast filter that flag obvious problems before you spend time on a contract.

TokenSniffer

Runs a static analysis on the source and gives a 0-100 score. Best for catching templated scam tokens that copy known malicious patterns. See our TokenSniffer guide for how to read the score correctly.

GoPlus

API-based risk scanner used by many wallets and aggregators. Flags honeypots, blacklist functions, transfer pause and mint authority across multiple chains.

RugCheck

Solana-focused, surfaces mint and freeze authority status plus LP concentration. Pair it with our RugCheck tutorial for memecoin trading.

DEXTools audit

Embedded directly into the pair page. Shows verification status, ownership, sellability simulation and liquidity lock status without leaving the chart.

Fastest workflow: start with DEXTools audit on the pair, escalate to the explorer if anything is yellow, cross-check with TokenSniffer or RugCheck. Three signals from three sources is enough to act.

Step-by-step walkthrough: verifying a token in five minutes

Exact sequence before any new-token swap.

Minute 1

Confirm the contract address

Get the address from the official source, paste into the explorer, confirm it matches what DEXTools shows on the pair page. Mismatches end the process here.

Minute 2

Check verification and proxy status

Look for the green check on Etherscan, BscScan or the Authorities panel on Solscan. If proxy, note the implementation address and admin wallet.

Minute 3

Search the source for five keywords

mint, fee, blacklist, pause and onlyOwner. Note who controls each. If owner is renounced, most of these are moot.

Minute 4

Run an automated audit

Open the DEXTools audit panel on the pair plus a second source like GoPlus, TokenSniffer or RugCheck. Two clean signals beats one.

Minute 5

Inspect holders and liquidity

Check top holder concentration, LP token holder distribution and whether liquidity is locked or burned. Concentration above 20% in a non-LP wallet is a meaningful risk.

If every step passes you have not proved the token is safe; you have proved it is not obviously rigged, which is a higher bar than most traders clear before clicking swap. Pair this with our wallet security checklist to remove most loss vectors.

After the trade: revoke approvals and watch for upgrades

Verification at entry is half the job. After you trade you usually leave a token approval behind. That approval is standing permission for the contract to spend that token, and if the contract is later upgraded with malicious logic, funds can be drained without a new signature.

Approval hygiene is part of the workflow. Our revoke token approvals tutorial covers tools and cadence. Pair with MEV protection for volatile-token sizing.

FAQ

What does a verified contract on Etherscan really prove?

Verification proves the deployed bytecode matches the Solidity source the deployer published. It does not prove the code is fair, safe or aligned with the project's marketing. You still have to read the source for risky functions.

Can a verified contract still be a scam?

Yes, easily. Many honeypots are verified because the deployer wants the green check for credibility. The malicious behavior is written transparently into functions like setFee or pauseTransfers and controlled by the owner.

What is a proxy contract and why does it matter?

A proxy delegates calls to a separate implementation contract that an admin can swap. If the admin is a single wallet, the entire token logic can be replaced after launch. Always check the admin slot and prefer multisig or renounced admins.

How is Solscan different from Etherscan?

Solana programs are compiled BPF rather than Solidity, so there is no source code to read directly. Solscan focuses on authority status, holder distribution and program upgradeability instead of source verification.

What are EIP-1967 storage slots?

They are standardized slot addresses where proxies store the implementation and admin pointers. Etherscan reads slot 0x36089...d382bbc for the implementation and 0xb53127...0b5d6103 for the admin to display proxy info.

Should I avoid all tokens with an active mint function?

Not automatically. Stablecoins, governance tokens and staking rewards legitimately need mint. The question is who controls it and whether the project's design justifies keeping that power active.

What is a honeypot?

A token that you can buy but cannot sell. The block on selling is usually implemented through transfer fees set near 100%, a blacklist that targets sellers, or a transfer hook that reverts. Sellability simulations catch most of these.

Does renounced ownership make a contract safe?

It removes one class of risk but does not eliminate proxies, immutable fees or pre-funded wallets. Renouncement is positive but you still need to read the code that runs when nobody controls it.

How do I check if liquidity is locked?

On Etherscan or BscScan open the LP token page and look at top holders. Locked liquidity sits in a known locker contract such as Unicrypt or Team.Finance. Burned liquidity sits at the zero address.

Why does DEXTools show an audit panel?

To surface the most common verification checks without leaving the chart. It pulls contract verification, ownership, sellability, fee taxes and liquidity lock status so traders can size positions with that information already loaded.

Can I trust automated scanners alone?

For small positions and well-known tokens, yes. For new launches and meaningful size, no. Scanners catch templates and obvious patterns. Custom-built scams that pass templates require human inspection of the source.

What is the single most important check?

Verified source plus a clean ownership pattern. If those two are missing, nothing else matters. If both are present, the rest of the checks are about pricing residual risk rather than asking whether to engage at all.

CTA

Audit any pair on DEXTools

Open any DEX pair, scroll to the audit panel, and run the verification checks from this guide in under five minutes before sizing up.

Open DEXTools