What we scanTestnet & MainnetMethodologyPricingFAQ
request a beta scan

Token Security Scan for ERC-20 projects

Fast, evidence-based screening for token contracts on testnet and mainnet. We combine deterministic on-chain data, automated analysis, and AI-assisted reporting to highlight technical, ownership, liquidity, and transparency risks, without turning the report into investment advice.

request a beta scan
Free during beta. Mainnet and testnet pricing starts after the beta period.
This is not a MiCA legal opinion, not a full security audit, and not a recommendation to buy, sell, hold, invest, list, integrate, or participate. It is a structured technical and on-chain risk-screening report based on public evidence available at scan time.
Tokens fail in more ways than source code alone can show

A token contract may look simple, but the real risk picture is broader: source verification, proxy setup, owner privileges, role changes, holder concentration, deployer history, liquidity context, and fund flows all matter.

xcactus Scan is designed as a practical first-pass screening layer. It helps teams, partners, and analysts understand what is publicly visible on-chain before deeper due diligence or a full manual audit.

What the scan checks

Contract and source evidence

We check whether public evidence shows source-code availability, source/deployment matching, proxy patterns, and implementation metadata where available.

  • Source verification status
  • Contract inventory
  • Proxy and implementation analysis
  • Compiler and metadata visibility
  • Static-analysis findings where source code is available

Ownership and privileged control

We check whether public evidence shows owner/admin patterns, privileged roles, and observable role changes that may allow minting, pausing, blacklisting, upgrading, or otherwise affecting token behavior.

  • Ownership and admin detection
  • AccessControl role discovery
  • Role event reconstruction
  • Privileged function indicators
  • Upgrade and admin risk context

Mainnet market evidence

For mainnet scans, we add public market and distribution evidence to show concentration, liquidity context, and visible fund-flow patterns.

  • Holder distribution
  • Top-holder concentration
  • DEX and liquidity discovery
  • Deployer wallet analysis
  • Fund-flow evidence

Two scan profiles: testnet and mainnet

Testnet / Dev Scan

For pre-launch contracts and development deployments.

Best for
  • Teams preparing for launch
  • Early technical readiness checks
  • Detecting obvious contract, proxy, ownership, and configuration issues before mainnet
Limitations

A testnet scan does not assess real holder distribution, production liquidity, real market behavior, or production privileged-control history.

Price
Free during beta. After beta: €50 per testnet scan.

Mainnet / Due Diligence Scan

For deployed tokens with public on-chain activity.

Includes
  • Contract, source, proxy, and admin evidence
  • Role and ownership indicators
  • Holder distribution
  • Liquidity and DEX context
  • Deployer and fund-flow evidence
  • Static-analysis findings where source is available
Price
Free during beta. After beta: €200 per mainnet scan.

Evidence first. Conclusions second.

xcactus Scan separates deterministic data collection from report generation. The scan engine collects structured evidence from public sources such as explorers, RPC endpoints, contract metadata, logs, holder data, liquidity data, and static-analysis tools. The reporting layer then turns that evidence into a readable report with explicit limitations and coverage notes.

Each report is designed to make the evidence trail clear: what was observed, what could not be verified, what requires manual follow-up, and which findings should be treated as blockers, warnings, or informational context.

  • Deterministic evidence collection. Structured data, not ad-hoc screenshots.
  • Coverage states. The report distinguishes confirmed evidence, missing evidence, unsupported checks, and provider or API limitations.
  • Environment-aware output. Testnet and mainnet reports are not treated as the same product.
  • No investment-action language. Reports avoid buy, sell, or participate recommendations.
  • Evidence and coverage checks. Beta reports are reviewed before being shared.
What you get
Structured scan report identified as testnet or mainnet
Contract, source, proxy, and admin evidence
Ownership and role-risk observations
Static-analysis output where source is available
Mainnet holder, liquidity, and fund-flow evidence for mainnet scans
PDF report with explicit limitations and evidence gaps, private by default during beta
What the scan
does not replace
Not a full manual smart-contract audit
Not a MiCA compliance review or legal opinion
Not investment, financial, or trading advice
Does not guarantee that a token is safe
Does not replace deeper due diligence for high-value decisions
Testnet scans do not assess production holder distribution, real liquidity, or real market behavior

Sample reports

Two reports on public contracts — see what the scan delivers on each profile.

Testnet · Dev Scan
Riverside Apartments
base_sepolia testnet · 15 pages · 2026-05-14
Download sample (PDF)
Mainnet · Due Diligence Scan
USDC
ethereum mainnet · 14 pages · 2026-05-14
Download sample (PDF)

Pricing

Beta
Free during beta

During the beta period, selected scans are processed free of charge while we validate the workflow, report format, and evidence coverage. Beta capacity may be limited.

request a beta scan
After beta
Scan type
Best for
Price
Testnet / Dev Scan
Pre-launch readiness, development deployments
€50
Mainnet / Due Diligence Scan
Public on-chain evidence screening for deployed tokens
€200

Prices are per scan. Complex multi-contract systems, manual audit work, legal review, or custom due-diligence scope are quoted separately.

FAQ

Is this a full audit?
No. xcactus Scan is a fast technical and on-chain screening product. It helps identify visible risks, evidence gaps, and follow-up areas. A full audit is a deeper manual process with a broader scope.
Can I scan a testnet contract?
Yes. Testnet scans are supported as Dev Scans. They are useful before launch, but they do not include real mainnet holder distribution, liquidity, or market-behavior evidence.
Can I scan a mainnet token?
Yes. Mainnet scans include additional public-evidence checks such as holder distribution, DEX and liquidity context, deployer analysis, and fund-flow evidence where available.
Is the report public?
Reports are private by default during beta. Publication of a sample, case study, or public report requires separate approval.
How long does it take?
During beta, delivery time may vary depending on queue size and evidence availability. The target is fast turnaround, with queue position and provider rate limits being the main factors.
Does the scan say whether a token is safe?
No. The report does not label a token as safe or unsafe and does not recommend any investment action. It presents observed evidence, limitations, and risk indicators for further due diligence.
Does a good scan result mean the token is safe?
No. xcactus Scan does not certify safety and does not provide an investment, legal, or audit opinion. It reports what was publicly observable at scan time, what could not be verified from public data, and which areas may require further due diligence.
Which networks does xcactus Scan support?
Ethereum and Base on mainnet, plus Ethereum Sepolia and Base Sepolia on testnet. Additional networks may be added in future releases.
Ready to 
work with us?
Explore possibilities
book a meeting
We use cookies to improve your experience on our site. By using this website you agree to our Cookie Policy.
Not Now
Accept
Contact Us
Cancel
Thank you! Your message has been received!
Ok
Oops! Something went wrong while submitting the form.