Guide · Security

How to avoid swap scams and honeypots

Most money lost on decentralized exchanges is not lost to volatility — it is lost to scams that are entirely avoidable with a short checklist. Fake tokens, honeypot contracts, malicious approvals, and phishing front-ends all rely on the same thing: a trader moving fast and trusting a name, a link, or a social-media post instead of verifying on-chain. This guide covers the four ways traders most commonly lose funds on a DEX and the specific defense against each. None of them require technical expertise; they require the discipline to check before you sign.

Fake and copycat tokens

Anyone can deploy a token and name it anything. Scammers mint tokens that reuse the exact symbol and name of a popular asset, seed a little liquidity, and wait for traders who search by ticker to buy the impostor. The defense is simple and absolute: trade by contract or mint address, not by symbol. Get the canonical address from the project's official site or a reputable data source, and compare the full string — not just the first and last few characters, because address-poisoning attacks deliberately match the visible ends.

Honeypot contracts

A honeypot is a token you can buy but cannot sell. The contract contains logic that blocks transfers from ordinary holders, allows only the deployer to sell, or applies a punishing tax on exit. The chart looks like it only goes up because nobody can take profit. Before buying anything unfamiliar, check whether other wallets have successfully sold it, read the contract's permissions on the block explorer, and be deeply skeptical of tokens with transfer restrictions, mint functions, or blacklist capabilities. A tiny test sell after buying confirms whether you can actually exit.

Malicious approvals and drainer signatures

Granting a token approval lets a contract move that token on your behalf. Scam front-ends try to trick you into approving an unlimited allowance to a contract they control, or into signing an opaque off-chain message that authorizes a transfer. Approve only the amount you intend to trade, never sign a transaction or message you do not understand, and periodically review and revoke old allowances. A wallet that has been drained almost always signed something it should have refused.

Phishing front-ends and fake links

Attackers clone real interfaces at look-alike domains and promote them through ads, compromised social accounts, and direct messages. The cloned site looks identical but routes your approval or signature to the attacker. Bookmark the official domain and use the bookmark every time. Never reach a swap interface through a search ad or a link someone sent you, and confirm the URL in the address bar before connecting your wallet. No legitimate platform will ever ask for your seed phrase.

A pre-trade checklist that prevents most losses

Before approving any unfamiliar token: confirm the full contract address against an official source; verify the contract is published and readable on the explorer; check that liquidity exists and that other holders have sold successfully; size the first trade as a small test; and review the approval amount your wallet is about to grant. Five checks, under two minutes, and they defend against the overwhelming majority of preventable losses.

Legal

Risk disclosure

XAUConnect is a non-custodial swap aggregator. Digital assets are volatile and may lose value rapidly. Content on this page is educational and not investment advice. Verify every contract address on the official block explorer before approving a transaction.

Frequently asked questions

How do I know if a token is a honeypot?

Check whether ordinary wallets have successfully sold it, read the contract permissions on the explorer for transfer restrictions or blacklist functions, and place a small test sell after buying to confirm you can exit.

What is the safest way to find the right token?

Trade by full contract or mint address taken from the project's official source, and compare the entire address — not just the ends, which poisoning attacks deliberately match.

Why should I avoid unlimited token approvals?

An unlimited allowance is a standing permission that a malicious or later-compromised contract can use to drain that token. Approve only the amount you are trading, and revoke old allowances periodically.

How do I avoid phishing sites?

Bookmark the official domain and always use the bookmark. Never reach a swap interface via a search ad or a link from a message, and never enter your seed phrase anywhere.

Live execution

Trade on XAUConnect

Open the swap page to compare live routes, set slippage, and sign from your own wallet — fully non-custodial.

Open swap Explore markets

Continue exploring

Related markets, guides & networks

Curated next steps based on this topic — deepen your research before you trade.

Guides

How to set slippage tolerance
How to choose a slippage tolerance that protects you from sandwich attacks without causing failed transactions, with con

Articles

Platform

Discover live markets
Charts, launches, and indexed pools across seven networks.

Build programmatically

Swap via API for bots and AI agents — quotes, builds, and cross-chain routes.

Developer quickstart