← Back to Greenlight

Greenlight Security Checks

All checks run in parallel. Results feed the signal weight engine which determines the findings outcome.

Address Checks (9 checks)

Applies to: target_type: "address" — wallet addresses, token contracts, NFT contracts.

1. GoPlus Token Security

API: https://api.gopluslabs.io/api/v1/token_security/{chainId}

Analyzes ERC-20 and BEP-20 token contracts for common vulnerabilities.

Finding CodeLabelSeverityTrigger

|---|---|---|---|

HONEYPOTHoneypot DetectedCriticalToken cannot be sold after purchase BLACKLISTEDBlacklisted TokenCriticalToken has blacklist function that can trap wallets TOKEN_HIGH_RISKHigh Risk TokenCriticalGoPlus risk level ≥ 3 TOKEN_MEDIUM_RISKToken Risk DetectedHighGoPlus risk level ≥ 2 HIGH_TAXHigh Transaction TaxHighBuy/sell tax flagged above safe threshold

Chains: Ethereum (1), Polygon (137), BSC (56), Base (8453). Defaults to Ethereum.

2. GoPlus Malicious Address

API: https://api.gopluslabs.io/api/v1/address_security/{chainId}

Checks whether a wallet or contract address appears in GoPlus's malicious address database (cybercrime, sanctions, fraud labels).

Finding CodeLabelSeverityTrigger

|---|---|---|---|

MALICIOUS_ADDRESSMalicious AddressCriticalAddress is flagged in GoPlus database MALICIOUS_DETAILRisk DetailHighPer-item risk label from GoPlus (e.g. "phishing", "sanctioned")

3. GoPlus Approval Security

API: https://api.gopluslabs.io/api/v1/approval_security/{chainId}

Checks for active token approvals on the address that could allow third-party wallets to drain funds.

Finding CodeLabelSeverityTrigger

|---|---|---|---|

RISKY_APPROVALSRisky Token ApprovalsHighOne or more active approvals detected with elevated risk

4. GoPlus NFT Security

API: https://api.gopluslabs.io/api/v1/nft_security/{chainId}

Checks NFT contracts for dangerous owner privileges.

Finding CodeLabelSeverityTrigger

|---|---|---|---|

NFT_RISKNFT Security RiskMediumContract has privileged burn, privileged minting, or self-destruct function

Specific risk items detected:

Privileged burn function (owner can destroy tokens)

Privileged minting function (unlimited supply risk)

Self-destruct function (contract can be wiped)

5. Chainabuse

API: https://api.chainabuse.com/v0/reports

Community-sourced fraud reports. Checks if an address has been reported for scams, ransomware, or other fraud across all chains.

Finding CodeLabelSeverityTrigger

|---|---|---|---|

CHAINABUSE_REPORTEDReported on ChainabuseHighAddress has one or more fraud reports in database

6. Moralis Wallet Reputation

API: Moralis Web3 API — wallet reputation endpoint

Analyzes transaction history patterns to compute a reputation score (0–100) based on behavioral signals.

Finding CodeLabelSeverityTrigger

|---|---|---|---|

LOW_REPUTATIONLow Wallet ReputationMediumReputation score indicates elevated risk (threshold: level ≥ 3)

7. Phishing Database

Sources: MetaMask Phishing Detection API + Polkadot.js Phishing List

Coverage: 54,865 domains · 279 malicious wallet addresses (loaded at startup, refreshed periodically)

Cross-references the address against two community-maintained phishing databases loaded in memory at server start.

Finding CodeLabelSeverityTrigger

|---|---|---|---|

PHISHING_DB_ADDRESSKnown Malicious AddressCriticalAddress found in MetaMask or Polkadot phishing list

Database sources:

MetaMask: https://phishing-detection.api.cx.metamask.io/v1/stalelist

Polkadot addresses: https://polkadot.js.org/phishing/address.json

8. Etherscan Contract Verification

API: Etherscan API — contract ABI/source verification endpoint

Applies to: EVM addresses (0x…, 42 chars) only

Checks whether a smart contract has its source code publicly verified on Etherscan.

Finding CodeLabelSeverityTrigger

|---|---|---|---|

UNVERIFIED_CONTRACTUnverified ContractMediumContract exists but source code is not verified on Etherscan
Non-contract addresses (EOAs) do not trigger this check.

9. CoinGecko Token Legitimacy

API: CoinGecko API — contract lookup endpoint

Applies to: EVM addresses (0x…, 42 chars) only

Verifies whether the token contract is listed in CoinGecko's token database, which requires passing a legitimacy review.

Finding CodeLabelSeverityTrigger

|---|---|---|---|

NOT_ON_COINGECKONot Listed on CoinGeckoLowToken contract not found in CoinGecko database
Low severity — new or niche legitimate tokens may not be listed.

URL Checks (5 checks)

Applies to: target_type: "url" — dApp URLs, DeFi protocol links, any web address.

1. GoPlus Phishing Detection

API: https://api.gopluslabs.io/api/v1/phishing_site

AI-powered phishing detection that analyzes site content and domain patterns.

Finding CodeLabelSeverityTrigger

|---|---|---|---|

PHISHING_SITEPhishing Site DetectedCriticalGoPlus AI confirms site is a phishing page

2. GoPlus dApp Security

API: https://api.gopluslabs.io/api/v1/dapp_security

Checks dApp URLs against GoPlus's audit database and trust list. Returns risk items if found.

Finding CodeLabelSeverityTrigger

|---|---|---|---|

DAPP_RISKdApp Security RiskHigh / MediumdApp flagged with risk level "high" or "medium" DAPP_DETAILdApp IssueMediumPer-item risk detail returned by GoPlus

3. Phishing Database

Sources: MetaMask Phishing Detection API + Polkadot.js Phishing List

Coverage: 54,865 domains (loaded in memory)

Cross-references the URL's domain against the same in-memory phishing database used for address checks.

Finding CodeLabelSeverityTrigger

|---|---|---|---|

PHISHING_DB_DOMAINKnown Phishing DomainCriticalDomain found in MetaMask or Polkadot deny list

Database sources:

MetaMask: https://phishing-detection.api.cx.metamask.io/v1/stalelist

Polkadot domains: https://polkadot.js.org/phishing/all.json

4. ScamSniffer

API: ScamSniffer real-time detection API

Real-time scam and phishing URL detection maintained by the ScamSniffer security team.

Finding CodeLabelSeverityTrigger

|---|---|---|---|

SCAMSNIFFER_HITScamSniffer AlertHighURL flagged as suspicious by ScamSniffer

5. Chainabuse URL Check

API: https://api.chainabuse.com/v0/reports

Checks the URL against Chainabuse's community fraud report database.

Finding CodeLabelSeverityTrigger

|---|---|---|---|

CHAINABUSE_URLURL Reported on ChainabuseHighURL has fraud reports in Chainabuse database

Signal Weight Engine

All findings from active checks are passed through the signal weight engine to produce the final outcome.

Severity Weights

SeverityWeight Added

|---|---|

Critical+35 High+20 Medium+10 Low+5 Info+0

Maximum signal weight: 100 (capped).

Findings Outcomes

OutcomeSignal WeightMeaning

|---|---|---|

no_issues_detected< 20No findings returned by any check source issues_detected20 – 59One or more findings present high_risk_signals_detected≥ 60High signal-weight threshold exceeded

> Greenlight returns findings — it does not make proceed/stop decisions. The policy engine consuming the findings determines what action to take.

Check Coverage by Endpoint

Check/v1/scans (address)/v1/scans (url)/v1/pre-action-checks

|---|---|---|---|

GoPlus Token Security✓—✓ (address targets) GoPlus Malicious Address✓—✓ (address targets) GoPlus Approval Security✓—✓ (address targets) GoPlus NFT Security✓—✓ (address targets) GoPlus Phishing Detection—✓✓ (url targets) GoPlus dApp Security—✓✓ (url targets) Chainabuse✓✓✓ Moralis Wallet Reputation✓—✓ (address targets) Phishing Database (53K+)✓✓✓ Etherscan Contract Verification✓ (EVM only)—✓ (EVM address targets) CoinGecko Token Legitimacy✓ (EVM only)—✓ (EVM address targets) ScamSniffer—✓✓ (url targets)

Rate Limits & Availability

**Rate limit:** 30 requests per minute per IP

**All checks run in parallel** — total response time is typically 1–3 seconds

**Graceful degradation:** if any individual API is unavailable, the remaining checks still complete and the source is noted as (error) in the evidence sources list

**Findings payload expiry:** 15 minutes for /v1/pre-action-checks, 24 hours for /v1/scans retrieval via GET

Last updated: March 2026