Skip to main content
Anyone can deploy a token in minutes, and a large share of new tokens are built to take your users’ money: contracts you can buy but never sell, hidden mint functions that dilute holders to zero, blacklists that freeze wallets, or “upgradeable” logic whose rules change after people ape in. The CoinStats token security API (the Token Risks endpoint) screens a token’s smart contract before a user buys or a bot routes into it. You get an overall risk score plus a severity-ranked list of findings, each with a plain-English explanation you can show directly in your UI.
Endpoint: GET /token-risks · 5000 credits per request · X-API-KEY auth. See the API reference for the full schema.

What “token risk” means

A token risk is a property of the contract that lets the deployer (or the code itself) harm holders — by seizing funds, blocking trades, silently changing balances, or changing the rules later. These are logic-level problems, not price or market problems: a token can have great volume and still be a honeypot.

Risk categories

Every finding comes back with a title, a severity, a value ("true" = the risk is present), a plain-English note, and a technical description. The main categories:
The deployer keeps privileged control over the token or its funds.
  • Centralized MintDev can print new tokens anytime (dilutes holders to zero).
  • Centralized BurnDev can delete your tokens.
  • Balance ManipulationDev can secretly change your balance.
  • Unauthorized Token ApprovalsDev can spend your tokens without asking.
  • Asset WithdrawalDev can drain the contract’s tokens.
  • ETH Balance SweepDev can drain the contract’s ETH.
The contract can stop specific users (or everyone) from selling.
  • BlacklistDev can block certain wallets from trading.
  • WhitelistOnly approved wallets can trade.
  • Blockable TransferDev can stop you from sending tokens.
  • PausableDev has a freeze button for all trades.
  • Cooldown checksYou need to wait before sending again.
What you send isn’t what arrives, or transfers aren’t recorded faithfully.
  • Hidden feesSurprise taxes on every move.
  • Basic Transfer FeeHidden fee on each transfer.
  • Transfer event amount mismatchWhat you see isn’t what was sent.
  • No Transfer event emittedTransfers happen without any record (breaks explorers/indexers).
  • Approval event not emittedApprovals happen invisibly.
The contract can change after you buy, or is deliberately hard to verify.
  • Proxy (Upgradeable) / UpgradeableRules can change after you buy / code can be swapped anytime.
  • SelfdestructToken can delete itself and your money.
  • External call in transferHidden code executes during transfers.
  • Assembly usage in transferCode is complex and hard to verify.
  • Not fully ERC20 compliantToken doesn’t follow standard token rules.

How it works

Token Risks is powered by Hexens and its Glider engine. Instead of pattern-matching bytecode, Glider reasons over the contract’s functions, execution paths, and dependencies to find logic-level threats. CoinStats then shapes the result into a stable response:
  • score — overall risk, 0–100. Higher means riskier.
  • results[] — individual findings, each with severity (criticalhighmediumlowminor), a plain-English note, and a technical description.
  • marketEndorsed — whether the token is endorsed by market consensus.
  • ownershipRenounced — whether contract ownership has been renounced (no owner = many owner-powers can’t be used).
Coverage spans EVM chains — Ethereum, BNB Chain, Polygon, Base, Arbitrum, Optimism, Avalanche, and more. Non-EVM tokens (e.g. Bitcoin) or contracts not yet indexed return an empty results list.

Why it’s better than the alternatives

Most token scanners are heuristic flag-lists: they miss logic-level scams or bury you in false positives. Per the Glider benchmark, Glider caught every critical threat with no false positives, while competing tools missed between 40% and 75% of the same risks. And because Token Risks runs on the same platform as prices, wallets, and portfolios, it’s one API key and one integration — no separate security vendor to bolt on, and the same data that powers risk warnings for 1M+ CoinStats users.

Using the API

Query by CoinStats coinId or a raw contractAddress + chain pair. Optional sortBy=severity orders findings critical → minor. 
# By CoinStats coin id
curl "https://openapiv1.coinstats.app/token-risks?coinId=shiba-inu&sortBy=severity" \
  -H "X-API-KEY: YOUR_API_KEY"

# By contract address + chain
curl "https://openapiv1.coinstats.app/token-risks?contractAddress=0xdac17f958d2ee523a2206206994597c13d831ec7&chain=ethereum" \
  -H "X-API-KEY: YOUR_API_KEY"
Example response (abridged): 
{
  "score": 80,
  "marketEndorsed": true,
  "ownershipRenounced": false,
  "risksProviderUrl": "https://hexens.io/blog/glider-api-new-benchmark-in-smart-contract-security",
  "results": [
    {
      "key": "risk_blockable_transfer",
      "value": "true",
      "title": "Blockable Transfer",
      "subtitle": "Transfers can be blocked for specific senders using various checks",
      "note": "Dev can stop you from sending tokens",
      "description": "The token's transfer logic includes pausing / cooldown / large-amount checks that can freeze certain holders.",
      "severity": "medium"
    }
  ],
  "learnMoreUrl": "https://coinstats.app/blog/risks/"
}
value uses the strings "true" / "false" (Hexens wire format). "true" means the risk is present. A 200 with an empty results array means no risk data is available for that token (non-EVM or not yet indexed) — not “safe”.

Token Risks API Reference

Full request/response schema, parameters, and try-it console.

How CoinStats scores token risk

The Hexens Glider approach and the benchmark behind it.