Skip to content
All posts
Guide
June 26, 2026· 7 min read

How to Check If an XRPL Token Is Safe Before Trusting It

Someone Lost Funds to a Fake XRPL Token Last Week

It happens regularly. A token gets promoted in a Discord server or Telegram group. Someone sets a trust line, buys in, and the issuer either drains liquidity or freezes every holder's balance. The token was never audited. The issuer was anonymous. There were no red flags anyone knew to look for.

XRPL makes it extremely easy to create and issue tokens. That's a feature, not a flaw. But it means the barrier to launching a scam token is just as low. If you're new to XRPL, the safety checks you'd apply on Ethereum don't map cleanly here. The mechanics are different.

This guide walks you through exactly what to check before you trust any token on XRPL.

Understand What a Trust Line Actually Does

On XRPL, you can't receive a token unless you explicitly set a trust line to the issuer. This is a deliberate design choice. It prevents spam tokens from being dumped into your wallet without consent.

When you set a trust line, you're telling the network: "I'm willing to hold tokens issued by this specific address." You set a limit on how much you're willing to hold. Once that line is set, the issuer can send you tokens up to that limit.

The risk isn't in the trust line itself. The risk is in who you're trusting. Before you set one, you need to know what that issuer can and can't do to your balance.

Check Whether the Issuer Has Freeze Authority

This is the most important check. XRPL issuers can freeze individual trust lines by default. If an issuer freezes your trust line, you can't send those tokens anywhere. Your balance is locked.

Issuers can also use Global Freeze, which locks all trust lines to that issuer at once. This is meant as a compliance tool, but it's also a mechanism that can be abused.

The only way to verify an issuer has given up this power is to check whether they've set the NoFreeze flag on their account. Once NoFreeze is enabled, the issuer permanently loses the ability to freeze any trust line. It cannot be reversed.

How to check: look up the issuer's account on an XRPL explorer like XRPL.org or Bithomp. Under account flags, look for lsfNoFreeze. If it's not there, the issuer retains freeze authority.

If a token project is serious about being trustworthy, they will have enabled this flag. If they haven't, ask why.

Look at the Issuer's Account Flags in Full

Freezing isn't the only flag that matters. A few others tell you a lot about how the issuer has set up their account.

RequireAuth: If this flag is set, the issuer must manually authorize each trust line before it becomes active. This can be a legitimate compliance feature for regulated assets, but it also means the issuer controls who can hold the token at all.

DefaultRipple: This flag affects how balances ripple through trust lines. Most token issuers enable it. If it's disabled unexpectedly, it can affect how the token moves through the DEX.

DepositAuth: Prevents the account from receiving payments unless it has pre-authorized the sender. Less common for token issuers, but worth noting if present.

None of these flags are automatically red flags on their own. Context matters. The point is to know what they mean before you trust the issuer.

Check the Token Supply and Distribution

XRPL doesn't have smart contracts enforcing token supply caps. The issuer controls supply entirely. They can mint more tokens whenever they want, unless they've taken steps to prevent it.

The main check here is whether the issuer has blackholed their account. A blackholed issuer account has its master key disabled and no other signing methods configured. Once an account is blackholed, no one, including the original issuer, can sign transactions from it. They can't mint more tokens, change flags, or freeze anyone.

To verify this, check the issuer's account for:

  • lsfDisableMaster flag set to true
  • No regular key set
  • No signers in a multisig list

If all three are true, the account is effectively frozen in place. The token supply is fixed. This is the gold standard for decentralized XRPL tokens.

If the issuer's account is fully operational, they can inflate supply at any time.

Look at the Liquidity Pool or Order Book

A token with no real liquidity is a warning sign. Check the XRPL DEX for active offers or AMM pools for the token pair.

Thin order books aren't always malicious. Early-stage projects often have low liquidity. But if someone is promoting a token heavily while the order book has only a few offers all placed by the same account, that's a different situation.

Check who placed the orders. If the issuer is also the sole liquidity provider and market maker, they can pull that liquidity instantly. You'd be left holding tokens you can't sell.

Verify the Token Metadata

XRPL tokens are identified by a currency code and an issuer address. The currency code alone means nothing. Any issuer can create a token with the ticker "USD" or "BTC". The issuer address is what makes the token unique.

Always verify you have the correct issuer address. Cross-reference it against the project's official website and any listing it appears on. A single character difference in an address means you're trusting a completely different entity.

Some tokens register metadata through the XRPL Foundation's token list or similar registries. Verified listings add a layer of confidence, but they're not a substitute for doing your own checks.

How Rhyzlo Fits Into This

Manually checking account flags, supply mechanics, and liquidity depth across multiple explorers takes time. Rhyzlo aggregates these trust signals into a single view for XRPL tokens and issuers. You can see whether NoFreeze is set, whether the issuer account is blackholed, and other key indicators without needing to decode raw account data yourself.

For users who are evaluating tokens regularly or managing exposure across multiple assets, having that information consolidated in one place reduces the chance of missing something important.

A Simple Checklist Before Setting Any Trust Line

Before you trust a new XRPL token, run through these checks:

  1. Is lsfNoFreeze set on the issuer account? If not, they can freeze your balance.
  2. Is the issuer account blackholed? If not, they can mint unlimited tokens.
  3. Does the issuer use RequireAuth? If so, understand why.
  4. Is there real liquidity on the DEX, or just a few issuer-placed orders?
  5. Have you verified the exact issuer address against official sources?
  6. Is the token listed anywhere with verified metadata?

None of these checks guarantee a token is safe. But they filter out the most common mechanisms used in XRPL token fraud.

Do the Work Before You Trust, Not After

XRPL's trust line model puts the decision in your hands. That's powerful. It also means the due diligence is your responsibility.

The checks above take less than ten minutes once you know where to look. Most people who lose funds to bad XRPL tokens skipped them entirely, not because the information wasn't available, but because they didn't know what to look for.

Now you do.

Check token trust signals and issuer flags before you commit at rhyzlo.com.

Check any XRPL token before you trust it.

Go to Rhyzlo →