How to Run an Audit
1
Navigate to a token page or paste a contract address
Search for any token by name, ticker, or contract address using the SURCHI search bar. You can also paste a raw contract address directly into the address bar on surchi.xyz to jump straight to the token’s profile page.
2
Click the AI Audit tab
On the token profile page, select the AI Audit tab in the navigation strip. SURCHI will immediately begin fetching on-chain data and running all audit checks in parallel. Most audits complete within 5–10 seconds.
3
Review the risk score and detailed findings
Once the audit is complete, you’ll see the overall risk score at the top, followed by a breakdown of every individual check. Each check is marked as passed, flagged, or a warning, with a brief explanation of what was found.
4
Download the PDF audit report if needed
If you need a shareable or archivable copy of the findings — for your own records, a DAO vote, or due diligence — click Export PDF to download a fully formatted audit report containing all checks, scores, and the AI summary.
Risk Score
Every contract receives a composite risk score from 0 to 100, calculated by weighting the severity and number of issues found across all audit checks. A lower score means fewer and less severe issues; a higher score means you should proceed with serious caution or avoid the token entirely.
The score is recomputed each time you load the audit tab, so it always reflects the latest on-chain state of the contract.
Audit Checks
Ownership Detection
Ownership Detection
SURCHI checks whether the contract’s ownership has been renounced or transferred to a burn address. A contract with an active owner can have its configuration changed at any time by that owner — including altering fees, pausing transfers, or draining funds. If ownership is still held by a known deployer wallet or a multi-sig you can’t verify, the audit flags this for your review. Renounced ownership is generally considered a positive signal, though it doesn’t eliminate all risks on its own.
Upgradeable Contracts
Upgradeable Contracts
Some contracts — particularly on EVM chains using proxy patterns like OpenZeppelin’s Transparent or UUPS proxies — can have their underlying logic replaced after deployment. This means a contract that looks safe today could silently become malicious tomorrow. SURCHI detects proxy patterns, identifies the upgrade admin, and flags whether the upgrade mechanism is protected by a time-lock or multi-sig. Unprotected upgradeability is treated as a high-severity finding.
Liquidity Lock
Liquidity Lock
A locked liquidity pool means the LP tokens representing the DEX liquidity have been deposited into a time-lock smart contract and cannot be withdrawn until the lock expires. SURCHI verifies whether liquidity is locked, identifies the locking protocol used (e.g., Team Finance, Unicrypt, Raydium locker), and surfaces the unlock date. Unlocked liquidity means the deployer can remove all funds from the pool at any time — a classic rug-pull vector.
Liquidity Burn
Liquidity Burn
Burning LP tokens is a stronger commitment than locking them — burned LP is permanently removed from circulation and can never be redeemed. SURCHI checks whether the LP token balance for the primary pool has been sent to a known burn address. A fully burned LP pool means rug-pulling the liquidity is technically impossible, which is considered the gold standard for liquidity safety.
Developer Wallet
Developer Wallet
SURCHI analyzes the deployer wallet’s on-chain history and current holdings. Key signals include: what percentage of the total supply the deployer wallet holds, whether the deployer has previously deployed failed or rugged projects, whether the deployer has been selling while marketing the token, and whether the deployer wallet is linked to known scam addresses. Large deployer holdings combined with no lock and no renouncement is a textbook pre-rug setup.
Top Holders & Whale Detection
Top Holders & Whale Detection
High concentration among a small number of wallets creates extreme sell-side risk — if the top holders dump simultaneously, the price collapses instantly. SURCHI retrieves the top 10 and top 20 holder percentages from on-chain data and flags tokens where the top 10 wallets control more than 30% of the circulating supply (excluding locked and burn addresses). The audit also cross-references top holders against known whale, insider, and exchange wallets.
Honeypot Detection
Honeypot Detection
A honeypot is a contract designed so that you can buy the token but cannot sell it — your funds are permanently trapped. Honeypots are implemented through hidden transfer restrictions, blacklists, or tax manipulation in the contract logic. SURCHI simulates a buy and a sell transaction against the contract and checks whether the sell succeeds, what tax is applied, and whether the tax can be changed dynamically. A failed simulated sell is an immediate critical-risk flag.
Scam Pattern Detection
Scam Pattern Detection
Beyond individual checks, SURCHI’s AI model scans for known scam signatures: copy-paste contract code from previous rug pulls, suspicious variable names, obfuscated logic, hidden fee switches, blacklist functions disguised under innocent names, and deployer addresses linked to previously flagged contracts. Pattern matching against SURCHI’s continuously updated scam database catches threats that individual rule-based checks might miss.
AI Summary
After all individual checks are complete, SURCHI’s AI generates a plain-English summary of the full audit — no jargon, no raw hex, no head-scratching. The summary explains what was found, why it matters for your specific situation, and what questions you should be asking before investing. It ties together the individual findings into a coherent risk narrative so you can quickly communicate the risks to others or make a fast decision under time pressure. The AI summary is regenerated dynamically each time the audit runs, so it always reflects the current on-chain state of the contract rather than a cached snapshot.Audit Report & PDF Export
The full audit report includes:- Token metadata — name, symbol, contract address, network, deployer address, creation date
- Risk score — the composite 0–100 score with score breakdown by category
- Individual check results — pass/warn/fail status and explanation for every check
- AI summary — the plain-English narrative of all findings
- On-chain evidence — links to relevant transactions, holder lists, and pool data on the block explorer
- Timestamp — the exact time the audit was run, for record-keeping
Risk Indicators
At a glance, every check is marked with one of four visual indicators:🔴 Red Flag
A critical issue that significantly increases the probability of loss. Red flags indicate contract behavior that is directly associated with scams, rug pulls, or irreversible fund loss. You should not interact with a token that has unresolved red flags.
🟡 Yellow Warning
A potentially risky condition that warrants further investigation. Yellow warnings don’t automatically mean the token is a scam, but they indicate that something unusual is present and you should understand it before investing.
🟢 Green Pass
The check completed successfully and no issues were found. A green pass means this specific risk vector is either not present or has been appropriately mitigated by the project team.
🔵 Blue Info
Informational data that provides context without indicating a specific risk. Blue info items help you understand the contract’s design and configuration, even when there’s nothing explicitly alarming.