Hidden Mint — Rug Check Risk Guide

What is a hidden mint in crypto?

A hidden mint function is a callable function in a token contract that creates new tokens, disguised as something other than `mint`. Devs rename it to `rebase`, `stake`, `airdrop`, `distribute`, `_update`, or bury it inside another function's logic to evade a casual source scan. When triggered, new tokens appear in the dev wallet and get dumped into the DEX liquidity pool for an instant exit. Hidden mint is a subtler variant of the "unrestricted mint" pattern — the source code often passes a reviewer's eye because the mint logic is lexically hidden behind ordinary-looking functions. Detection requires analyzing the full call graph for any path that increases the token's `totalSupply` or calls the internal `_mint` OpenZeppelin primitive. Sharpe's Rug Check does this analysis automatically — we parse the verified source (or decompile the bytecode if unverified), trace all paths that modify balance state, and flag any function callable by non-zero addresses that can mint. A related pattern is the proxy-introduced mint: the shipped implementation has no mint function, but the proxy admin upgrades to an implementation that does.

Frequently Asked Questions

What is a hidden mint function?

A function that mints new tokens under a non-obvious name like `rebase`, `stake`, `airdrop`, or `_update`. Devs use it to print unlimited supply and dump into the liquidity pool for an instant exit.

How do I detect a hidden mint?

Analyze every function in the contract that modifies `totalSupply` or calls the internal `_mint` primitive. Sharpe's Rug Check traces the full call graph automatically, decompiles bytecode for unverified contracts, and flags any owner-callable path that can create tokens.