Security / Audit·EVM · Solana · Multi-chain
GoPlus Security
Decentralized Web3 security data layer providing Token Security, Address Risk, NFT Risk, Approval Security, dApp Security, and Transaction Simulation APIs across 40+ chains. Covers honeypots, mint/blacklist functions, sanctioned/phishing addresses, malicious approvals, and pre-signature simulation with a multidimensional risk model.
- 01token honeypot + tax checks
- 02address sanction + phishing screening
- 03approval / allowance risk audits
- 04pre-signature transaction simulation
- 05AI-agent security checks (x402)
- pnpm add @goplus/sdk-node
| Variable | Scope | Description |
|---|---|---|
| GOPLUS_APP_KEY | Server | GoPlus app key (used together with `GOPLUS_APP_SECRET` to fetch a short-lived access token via `POST /api/v1/token`). Optional for unauthenticated rate-limited use. |
| GOPLUS_APP_SECRET | Server | GoPlus app secret used to sign the token request. Server-side only. |
Use GoPlus for token, address, and transaction risk checks. Token security: `GET https://api.gopluslabs.io/api/v1/token_security/{chain_id}?contract_addresses={addr}` returns flags like `is_honeypot`, `buy_tax`, `sell_tax`, `cannot_sell_all`, `is_blacklisted`, `lp_holders`, and `holder_count` — block trade UI when `is_honeypot === '1'` or `cannot_sell_all === '1'`. Address security: `GET /api/v1/address_security/{address}?chain_id={cid}` returns `cybercrime`, `money_laundering`, `phishing_activities`, `sanctioned`, `mixer` flags. Approval security (revoke flows): `GET /api/v2/token_approval_security/{chain_id}?addresses=`. Transaction simulation: `POST /api/v1/transaction_simulation/{chain_id}` with `{ from, to, data, value, gas }` returns expected balance changes, risk warnings, and a simulated trace. With the SDK: `import GoPlus from '@goplus/sdk-node'; const tokenSec = await GoPlus.tokenSecurity('1', ['0x...'], 30);`. For higher rate limits exchange `GOPLUS_APP_KEY`+`GOPLUS_APP_SECRET` for an access_token on the server and pass it as `Authorization`.
- ⚑GoPlus uses numeric `chain_id` strings (`'1'` for Ethereum, `'56'` for BSC, `'solana'` for Solana) — passing slug names like `'ethereum'` returns an empty result, not a 4xx, so the check silently no-ops.
- ⚑Token-security flags are returned as strings (`'0'`/`'1'`/`null`) not booleans — `null` means 'not yet analyzed' (often for brand-new contracts), which is NOT the same as safe; treat `null` as 'unknown, defer + show simulation' rather than passing.
- ⚑Address-risk dataset is heavily US/EU-centric — sanctions coverage maps to OFAC/UK/EU, but local enforcement lists (e.g. South Korea, Singapore, Brazil) are partial. Layer Chainalysis or TRM for jurisdictional compliance use cases.
- ⚑Transaction simulation latency can spike (300ms–2s) for novel contracts that need cold compilation; show a non-blocking spinner and time-out gracefully instead of freezing the signing UI.
- ⚑Wallet UX integration is API-side only — there is no drop-in widget. Render your own warning component from the response and gate the actual signature, otherwise users will click through.
- ⚑Free-tier rate limits are aggressive (~30 rpm unauth); server-side proxy with the access_token flow if you need dashboard or bulk-screening throughput.