Documentation
How Natox works
Everything you need to understand our analysis engine and interpret your risk reports.
How scanning works
When you submit a token address, Natox runs 8 steps in sequence:
- Fetches the first 1,000+ bonding curve transactions via Helius API
- Identifies all buyer wallets and their purchase amounts
- Profiles each wallet - age, transaction history, SOL balance
- Traces funding chains to find wallets with shared funding sources
- Detects same-slot bundle purchases (sybil attacks)
- Identifies block 0/1 snipers and known bot programs
- Checks token authorities (freeze, mint) and LP lock/burn status
- Passes all data to our AI for holistic risk assessment
Risk score (0–100)
The score is composed of four weighted sub-scores:
Fewer real buyers = higher risk
Deployer self-buying percentage
Top 5/10 wallet dominance
Suspicious graduation speed
Verdict levels
Detection signals
Bundled wallets
Same-slot purchases (400ms window). Nearly impossible to happen organically.
Block 0 buyers
Bought in the very first block after creation. Usually bots or creator wallets.
Sniper wallets
Using known MEV/bot programs to front-run buyers.
Fresh wallets
No prior history. Created specifically for this purchase.
Funding chain
Multiple buyers received SOL from the same source wallet.
Creator self-buy
Deployer buying a large chunk of their own bonding curve.
Security checks
Freeze authority
Can the deployer freeze holders? Should be renounced.
Mint authority
Can the deployer mint unlimited tokens? Should be renounced.
LP burn / lock
Are LP tokens burned or locked? Unlocked = rug risk.
Limitations
- • Only analyzes bonding curve data. Post-graduation rugs may not be caught.
- • Sophisticated actors evolve their techniques. No system is 100%.
- • Score is probabilistic. Low score ≠ guaranteed safe.
- • This is not financial advice. Always do your own research.