Let me be honest with you: I’ve been trading Solana memecoins for over two years, and last month I lost $1,400 to a token that passed every surface-level safety check I ran. The rug check came back “safe.” The liquidity was locked. The mint authority was revoked. And I still got rugged.
If you’re reading this, you’ve probably moved past the beginner stage. You know not to ape into a token with zero liquidity and an anonymous deployer. You run your checks. You use tools. But there’s a gap between running a solana rug check and actually understanding what the results mean—and that gap is where experienced traders lose money.
This post covers seven specific mistakes I see veterans make repeatedly. Not theoretical risks. Real patterns I’ve watched play out in real time, sometimes in my own wallet.
1. Trusting a “Safe” Score Without Understanding What It Measures
This is the most common mistake, and it’s the one that got me last month. A rug check tool returns a green badge or a high safety score, and we move on. But here’s the thing—most safety scoring tools weigh different factors differently, and many of them don’t check everything.
Some tools heavily weight whether mint authority is revoked and whether LP is burned. That’s it. They don’t look at holder distribution patterns, they don’t analyze deployer history, and they don’t check freeze authority. So you get a “safe” score on a token where one wallet controls 40% of the supply through 15 different addresses.
How to actually check
When you run a memecoin safety checker, don’t just look at the final score. Open the breakdown. Ask yourself:
- Does this tool check holder concentration, or just top 10 holders?
- Does it verify freeze authority status, or only mint authority?
- Does it analyze deployer wallet history?
- Does it check LP lock duration, or just whether it’s locked at all?
If you can’t answer those questions, the score is meaningless. I’ve started treating safety scores as a starting point, not a conclusion. Tools like TokenRadar show you the individual safety components so you can see exactly what passed and what didn’t, rather than collapsing everything into a single number.
For a deeper framework on combining these checks, see our complete Solana rug check workflow.
2. Not Checking LP Lock Expiry Dates
“Liquidity is locked” might be the most dangerous phrase in memecoin trading. Not because it’s false—the liquidity probably is locked. But locked doesn’t mean locked forever.
I’ve seen tokens where LP was locked for 72 hours. That’s enough to pass every automated check, build hype through a few pumps, and then pull everything the moment the lock expires. Some deployers are even more creative: they’ll lock LP for 30 days, build a community, get listed on aggregators, and then quietly pull when everyone has stopped watching.
Real example
A token launched in early 2025 with LP locked via a well-known locker. Every safety tool flagged it green. But the lock was set for exactly 14 days. The token pumped for 12 days, the deployer sold their unlocked allocation on day 13, and LP was pulled the moment the lock expired on day 14. Anyone who checked “LP locked? Yes” and moved on got caught.
How to actually check
- Go to the locker contract directly. Don’t rely on a third-party summary.
- Check the exact unlock timestamp. Convert it to a real date.
- Set a calendar reminder for 24 hours before the lock expires.
- Be suspicious of any lock period under 90 days for a token claiming to be a long-term project.
Our guide on token vesting and unlock schedules on Solana walks through how to read these contracts step by step.
3. Missing Multi-Wallet Concentration
This is the one that got me. I checked the top holders. No single wallet had more than 3% of supply. Looked perfectly distributed. What I didn’t see was that 18 of the top 50 wallets were funded by the same source wallet within a 4-hour window before launch.
Multi-wallet concentration is the most sophisticated and increasingly common rug technique on Solana. The deployer creates 15-30 wallets, funds them through intermediate wallets or mixers, and distributes the supply across all of them. Each wallet holds a small percentage. Together, they control 40-60% of the total supply.
How to actually check
This takes work, and there’s no fully automated way to catch every instance. But here’s what I do now:
- Check funding sources. Pick 5-10 of the top holders and trace where their SOL came from. If multiple wallets were funded from the same source, that’s your signal.
- Look at timing. If a cluster of wallets all bought within minutes of each other in the first hour, they’re likely coordinated.
- Check sell patterns. Coordinated wallets often sell in sequence, not simultaneously, to avoid crashing the price. Look for staggered sells of similar amounts.
Learning to read Solscan like a pro is essential for this. You need to be comfortable tracing transaction chains across multiple wallets.
| Signal | What It Looks Like | Risk Level |
|---|---|---|
| Same funding source for 5+ top holders | Multiple wallets receive SOL from the same wallet within hours | Critical |
| Wallets created within same day | Top holder wallets all have first transaction on the same date | High |
| Sequential small sells | Multiple wallets selling similar amounts 5-15 minutes apart | High |
| No other token activity | Top holders only hold this one token and nothing else | Medium-High |
| Round-number SOL funding | Multiple wallets all funded with exactly 2.0 SOL or 5.0 SOL | Medium |
4. Ignoring Update Authority on Metadata
Here’s one that almost nobody talks about. On Solana, token metadata—the name, symbol, description, and image—is stored in a separate metadata account managed by the Metaplex Token Metadata program. And that metadata account has an update authority.
If the update authority hasn’t been revoked, the deployer can change the token’s name, symbol, and image after launch. Why does this matter? Because a token can launch as “SafeMoon2.0” with a dog logo, build a community, and then change its name and branding to something completely different. Or more practically, the deployer can swap the metadata to impersonate a legitimate project.
How to actually check
- Look up the token’s metadata account on Solscan or a Metaplex explorer.
- Check if
isMutableis set totrueorfalse. - If it’s mutable, check who the update authority is. Is it the deployer wallet? A multisig? A known program?
- For serious positions, only hold tokens where metadata is immutable or the update authority has been transferred to a null/dead address.
This isn’t always a dealbreaker—some legitimate projects keep metadata mutable so they can update their logo or description. But you should know it’s mutable before you buy, not discover it after the token rebrands overnight.
5. Assuming “Mint Revoked” Means Fully Safe
This is the false sense of security that catches the most experienced traders. You check mint authority: revoked. Great, no one can print new tokens. But there’s another authority that’s just as dangerous and far less discussed: freeze authority.
If freeze authority is still active, the deployer can freeze any wallet’s token balance, making it impossible to sell or transfer. This is the functional equivalent of a rug pull—your tokens still exist, but you can never move them.
How to actually check
Every solana token safety check should include both authorities:
| Authority | What It Controls | Safe Status | Dangerous Status |
|---|---|---|---|
| Mint Authority | Ability to create new tokens and increase supply | Revoked (set to null) | Active (deployer can inflate supply) |
| Freeze Authority | Ability to freeze any holder’s token balance | Revoked (set to null) | Active (deployer can freeze your wallet) |
| Update Authority | Ability to change token metadata (name, symbol, image) | Revoked or immutable | Active (deployer can change token identity) |
You can check both mint and freeze authority on Solscan by viewing the token’s account data, or use a dedicated safety checker that surfaces both. If your tool only reports mint authority, it’s giving you an incomplete picture. Our Solana token safety checklist covers all three authorities and how to verify each one.
6. Not Checking the Deployer’s Other Tokens
Serial ruggers exist, and they’re not hard to find if you look. The same wallet—or cluster of wallets—that deployed today’s hot new token may have deployed and rugged 15 others in the past month. But most traders never check.
This is one of the highest-signal, lowest-effort checks you can run, and I’m consistently surprised by how few people do it.
How to actually check
- Find the deployer wallet address (the wallet that created the token’s mint account).
- Look at its transaction history. Filter for token creation transactions.
- For each previous token, check: Is it still trading? Does it have liquidity? Or did it go to zero?
- If the deployer has created 5+ tokens in the past 30 days and none of them still have meaningful liquidity, walk away.
Some deployers are smart enough to use a fresh wallet for each launch. That’s why this check works best in combination with the multi-wallet analysis from mistake #3. Trace the deployer’s funding source—even if the deployer wallet is new, its SOL came from somewhere.
We covered this pattern in depth in our post on 7 red flags every trader must know.
7. Falling for “Verified” Badges That Mean Nothing On-Chain
Verification badges on token listing sites and portfolio trackers create a dangerous illusion of legitimacy. A “verified” badge on a DEX aggregator or token listing site typically means one thing: someone submitted the token’s metadata (name, logo, description, links) and a human or automated process approved it. That’s it.
It does not mean:
- The contract has been audited
- The team has been doxxed or KYC’d
- The token’s economics are sound
- The liquidity is safe
- The token won’t rug
Verification on most platforms is purely a metadata check. Did you provide a logo? Does the website link work? Congratulations, you’re “verified.” I’ve seen tokens get verified on multiple platforms within 48 hours of launch, only to rug within the week.
How to actually check
Ignore the badge entirely. Instead, do your own verification:
- Check the age of the social accounts. A Twitter account created the same week as the token launch is a red flag, regardless of follower count.
- Look at GitHub activity. If the project claims to be building something, is there actual code? Commits from multiple contributors? Or is it an empty repo?
- Verify the team. Are the listed team members real people with verifiable histories in crypto? LinkedIn profiles with connections, not stock photos.
- Read the contract yourself. Or at minimum, check it against known rug contract patterns.
The 5-minute safety check we published walks through a quick but thorough verification process that doesn’t rely on third-party badges.
Putting It All Together
None of these mistakes are about lacking knowledge. They’re about taking shortcuts with checks we know we should do more thoroughly. The difference between a trader who gets rugged occasionally and one who rarely does isn’t intelligence—it’s discipline.
Here’s my current pre-buy checklist, distilled from all seven mistakes above:
- Run a solana rug check but read the full breakdown, not just the score.
- Verify LP lock duration and set a reminder for the unlock date.
- Trace funding sources for at least 5 top holders.
- Check metadata mutability and update authority status.
- Confirm both mint AND freeze authority are revoked.
- Review the deployer wallet’s token creation history.
- Ignore verification badges. Verify the team and code independently.
Does this take longer than just checking a safety score and aping in? Yes. Does it save money? Absolutely. The 10 minutes I now spend on due diligence has saved me from at least four confirmed rugs in the past two months alone.
If you want to streamline this process, TokenRadar surfaces most of these signals—authority status, holder concentration, deployer history—in one view so you can make faster, better-informed decisions without skipping the checks that matter.
Stay skeptical. Stay safe. And never trust a single number to tell you the whole story.