Implementing AI Detection of Rug Pull / Scam Tokens in a Mobile App
A DeFi wallet without scam protection is an app helping users lose money more conveniently. Rug pull, honeypot, mint backdoor—these attacks happen not because users are stupid, but because on-chain scam token patterns aren't obvious without automated analysis. Task: embed a detector in the mobile app that warns before transaction.
What the AI Model Detects and Signal Sources
Scam tokens have characteristic on-chain and bytecode patterns. Signals are divided into three levels:
Bytecode analysis of smart contract. Honeypot—classic: buy function works, sell function always reverts (revert). Visible in bytecode as asymmetry in transfer/transferFrom branching. Mint backdoor—hidden function with onlyOwner modifier allowing new token emission and supply dilution. Renounced ownership without liquidity lock—common rug pattern: owner burns keys, but liquidity unfrozen.
On-chain metrics. Holder concentration: if top-10 addresses hold >60% supply with market cap <$1M—red flag. Liquidity lock: via Unicrypt or Team.Finance you can check if liquidity is locked and for how long. Contract age and transaction count: contract older than 3 days with >500 transactions is statistically lower risk.
Social signals. Telegram with inflated members, Twitter without organic activity, mismatch between holder count and social media activity. Weak signal alone, but combined with on-chain metrics increases accuracy.
Detector Architecture
Classifier runs on server—on-device ML here is impractical: inference data comes from blockchain RPC and external APIs that mobile client can't cache locally.
Server pipeline:
Contract address
→ Bytecode via eth_getCode (RPC)
→ Disassembly (evm-disasm / whatsabi)
→ Feature extraction (function selectors, transfer patterns, owner checks)
→ On-chain metrics (holders, liquidity lock, age) via Etherscan/Dexscreener API
→ ML classifier (gradient boosting / XGBoost) → risk_score [0.0 – 1.0]
→ Risk label: LOW / MEDIUM / HIGH / CRITICAL
XGBoost shows good results on tabular features without retraining when updating—just fine-tune on new scam examples. Precision ~91%, recall ~88% on ~120,000 token dataset (from public GoPlus Security, Token Sniffer bases).
Alternative—GNN (Graph Neural Network) on transaction graph: detects wash trading and coordinated pump-and-dump via connected components analysis. More expensive to train and deploy, but more accurate for complex schemes.
Mobile Client: Integration Without Blocking UX
User enters token address or scans QR—app must warn before they tap "Confirm".
// Android: Coroutines + Retrofit
viewModelScope.launch {
val result = tokenRiskRepository.analyze(contractAddress)
when (result.riskLabel) {
RiskLabel.CRITICAL -> showBlockingWarning(result)
RiskLabel.HIGH -> showWarningDialog(result)
RiskLabel.MEDIUM -> showInlineWarning(result)
RiskLabel.LOW -> proceed()
}
}
Critically important: CRITICAL and HIGH—show warning with specific reasons ("Sell function blocked in contract", "Liquidity not locked"), not just "This is a scam". User must understand why. UX antipattern—blocking dialog on every token: wolf crying effect reduces trust in warnings.
Caching and Offline Mode
Cache risk score for 15 minutes on client and 1 hour on server—contract doesn't change that fast. Cache key—contractAddress + chainId. Offline mode shows last cached score with timestamp. If no cache—warn user that check unavailable.
On iOS: URLCache with diskCapacity: 50 * 1024 * 1024. On Android: OkHttp CacheInterceptor with same logic. This reduces API requests and latency on repeat visits.
Multi-Network Support
EVM-compatible networks (Ethereum, BSC, Polygon, Arbitrum, Base)—same bytecode analyzer. Only RPC endpoints and holder retrieval methods differ. Solana—different VM (SBF), needs separate SPL-token account parser via @solana/web3.js / Helius API. TON (Tact/FunC)—own architecture, fewer ready detectors.
Implementation Stages
Define supported networks → collect scam token dataset → feature engineering + classifier training → server deploy → mobile integration (API client + cache + warning UI) → A/B test with users → monitor precision/recall in production → fine-tune on new scams.
Timeline: integrate ready-made API (GoPlus Security, Token Sniffer) into mobile client—2–3 weeks. Own detector with training and server deploy—6–10 weeks. Cost is calculated individually.