Other scanners read the code.
We read the code and the people.

Paste a Base token. We check what the contract can do, mint, blacklist, pause, upgrade, then check who holds the keys, scored on the Crest settlement graph. The same powers are safe under a trusted issuer and a rug under an anonymous drained wallet.

Try:

Why two numbers

Attack surfaceWhat the contract is technically able to do to you: mint infinite supply, blacklist your wallet, pause transfers, upgrade its own code. Read straight from the bytecode, proxy implementations included.
Controller trustWho can actually pull those levers: ownership renounced, an established issuer, a multisig, or a single anonymous EOA, scored by the same engine that rates whether an agent will pay or drain.
The verdictRisk is attack surface gated by controller trust. USDC can mint, freeze, and pause, and is low risk because Circle controls it. Identical powers under a drained anonymous wallet are critical. The code alone cannot tell you that.

Token risk is the highest-call-volume category in the x402 agent economy: 46,580 paid calls across 977 services, on the day measured. Crest settlement-graph analysis, 2026-06-23.

Token risk is the highest-volume category in the x402 agent economy, and every scanner reads the same contract. The contract is only half the answer. Crest is the only one that also reads the wallet behind the token, on the settlement graph that scores who pays and who drains. We snapshot every scan so the model can be calibrated against measured outcomes. It is a structural and provenance signal, not a guaranteed honeypot detector, and not financial advice.

Agents call it over x402:data.crestsystems.ai/token/{address}·Agent Credit Report·The State of x402

Questions agents ask

How do I check if a Base token is a rug or honeypot?
Scan the token contract for dangerous powers, mint, blacklist, pause, and upgradeability, then check who controls them. Crest does both in one call: the contract's attack surface and the settlement-graph reputation of the controlling wallet. Free at crestsystems.ai/token.
Can a token with mint or blacklist functions still be safe?
Yes. USDC can mint, freeze, and pause, and reads as low risk because an established issuer controls it. The identical powers under an anonymous, drained wallet read as critical. Risk is the contract's powers gated by who holds the keys.
What is the most common token rug setup?
An anonymous owner that retains mint or upgrade control. Renounced ownership or a multisig lowers risk; a single anonymous, drained EOA with mint power is the classic rug setup that code-only scanners miss.