npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@aetherbytes/hoodwatch

v0.1.11

Published

Real-data memecoin auditor & rug/bundle/honeypot scanner for Robinhood Chain (chain 4663). Powers the Hoodwatch Rig on Rokha. Ships a prebuilt Rust binary — no toolchain needed.

Readme

Hoodwatch 🏹

Real-data memecoin auditor & rug/bundle/honeypot scanner for Robinhood Chain (chain id 4663).

Hoodwatch is the audit engine behind the Hoodwatch Rig on Rokha. It reads live on-chain data — the Robinhood Chain RPC, the Blockscout API, and DexScreener — and returns a structured risk report for any token on the chain. No mock data. No third-party audit API (GoPlus and Honeypot.is don't support chain 4663, so Hoodwatch runs its own sell-simulation locally).

Written in Rust (alloy + reqwest), shipped as a single ~2.7 MB static binary — no toolchain, no runtime deps. That's the reason it's Rust: the binary drops straight into the Rokha sandbox (or any host) with nothing to install and starts instantly.

Install / run

# The Rokha sandbox path — public npm wrapper ships the prebuilt binary, no toolchain:
npx -y @aetherbytes/hoodwatch audit 0x8e62F281f282686fCa6dCB39288069a93fC23F1c

# Rust devs:
cargo install hoodwatch
hoodwatch audit <0xTOKEN> --json

# Build from source:
git clone https://github.com/aetherBytes/hoodwatch && cd hoodwatch && cargo build --release

Use it as a library too: hoodwatch = "0.1" then hoodwatch::audit_token(&client, addr, opts, now_ms, ts).await.

The original TypeScript engine is archived under legacy-ts/ — the Rust engine is canonical and has full parity (plus a more correct honeypot delta measurement).

Why it exists

Robinhood Chain went to mainnet on 2026-07-01 and the memecoin meta exploded (~6,700 tokens/day on the Noxa launchpad). Honeypots and rug pulls arrived with it, and no purpose-built scanner existed for the chain. Hoodwatch is the early mover.

Commands

| Command | What it does | |---|---| | hoodwatch audit <address> | Full audit of one token (human-readable). Add --json for machine output, --md for a Markdown report, --fast to skip the slower bundle/cluster/copycat passes, --deep to widen the cluster nets (more holder pages, more funder lookups, deeper hops). | | hoodwatch tweet <address> | Emit the ≤280-char X post for a token (used by the Watcher Rig). | | hoodwatch scan [--since <block>] | List recent launchpad launches — both eras (legacy Noxa Launched events + current V4 Initialize events). --json for machine output. | | hoodwatch watch [--since <block>] [--limit N] | Audit each recent launch in a batch (JSON). Add --out <dir> to save a .md + .json report per token. | | hoodwatch serve [--port N] [--out <dir>] | Launch the live dashboard (default port 4663): run audits from the browser, watch new launches, and browse the saved reports. |

Two launch eras (both supported)

The chain's memecoin plumbing MOVED (~2026-07, verified live 2026-07-13) — third-party contracts drift, so Hoodwatch supports both eras and re-verifies its assumptions against the live chain:

| | Era 1 — Noxa (legacy, DEAD for new launches) | Era 2 — current launchpad | |---|---|---| | Launchpad | 0xD9eC…FCcB, verified, emits Launched | 0xF193…7964, unverified, emits NO events | | Token deploy | factory-created | CREATE2 — the full token bytecode rides the launch calldata (arbitrary per token) | | Launch distribution | curve/pool seeded by factory | mint → ~77% burn → creator cut (observed 22%) → optional mass airdrop (observed ~140 wallets), all in the creation tx | | DEX | Uniswap V3 per-pool contracts | Uniswap V4 singleton PoolManager (0x8366…0951); pools are poolId-keyed (native ETH / token, fee 10000, tickSpacing 200, no hooks); pool initialized by the creator via the PositionManager | | Launch signal | factory Launched event | V4 Initialize on the PoolManager (the launchpad itself is event-silent) | | Swap decoding | V3 Swap, pool-perspective signs (buy = amount1 < 0) | V4 Swap, swapper-delta signs (buy = token-side amount > 0) | | LP lock | position NFT verified inside the Noxa locker | NO locker exists. The creator holds the position NFT and the launchpad ships a one-call withdraw (0xa0f7978d) that pulls the LP — the DEFAULT state is pullable. Hoodwatch replays the pool's ModifyLiquidity ledger: net-zero ⇒ LP PULLED (hard-fail), NFT in a burn address ⇒ verified locked, otherwise an honest owner-held / pullable warning. Never a false "LP locked". |

The last successful Noxa launch was ~block 6,880,646; every later launchToken call reverts. Era-1 tokens still audit through the legacy path.

What it checks (all real, all on-chain)

  • Contract security — verified source, upgradeable proxy, self-destruct, owner renounced, and a static scan of the verified source/ABI for mint / blacklist / pause / fee-setter / max-tx functions.
  • Sell simulation (the moat) — a self-hosted honeypot test via eth_call state overrides + Multicall3: detects the ERC-20 balance slot, synthetically funds a caller, and simulates a transfer toward the live LP pool. A revert ⇒ sell blocked (honeypot); received < sent ⇒ fee-on-transfer tax. GoPlus/Honeypot.is can't do this on chain 4663 — Hoodwatch can.
  • Holder distribution — top-10 concentration with LP pools, lockers, burn addresses, AND protocol reserves (the V4 PoolManager custodies every v4 pool's tokens; the launchpad's router float) excluded; single-whale detection.
  • Launch bundle / snipers — anchors the snipe window on the pool's first Swap (anti-snipe trading delays are detected and reported), resolves the real buyers (tx sender — never the router; unattributed buys are reported as coverage, so sniping figures are honest floors), and reports % of supply sniped, % the snipers still hold, same-block bundles, and fresh-wallet ratio. Works on both pool types (V3 per-pool events / V4 singleton poolId events); the era-2 window is ~30 s of blocks (the chain mints ~10 blocks/s).
  • Launch allocation (era 2) — decodes the creation tx's own Transfer logs: creator cut, burn tranche, pool seed, and the pre-trading mass airdrop (allocations the swap window can never see).
  • Wallet clustering (the anti-evasion layer) — builds a funding/transfer graph over {top holders ∪ launch snipers ∪ deployer}: each wallet's first funder (regular + internal txs, so disperse-style funding contracts count), direct token transfers between scoped wallets, and same-block adjacent-index co-buys. Union-find on weighted evidence (transfer 1.0 · shared funder 0.8 · same-block 0.5; union at ≥1.0) merges wallets into entities; CEX/bridge/hub stop-nodes (Blockscout metadata labels + a degree heuristic) are never merged through, dust transfers can't forge links, and coverage is reported honestly (full/partial/unavailable). Yields effective_concentration (raw vs clustered top-10), cluster_dominance, deployer_funded_snipers, and insider_holders flags — and an interactive bubblemap in the HTML report.
  • LP lock / liquidity-state verification — era 1: the Uniswap v3 position NFT must actually sit in the Noxa locker. Era 2: the pool's ModifyLiquidity ledger is replayed — LP PULLED (net-zero liquidity, the launchpad-assisted rug) hard-fails the score, a burned position NFT is a verified lock, and the default creator-held position gets an explicit pullable warning. Lookup failure ⇒ an honest "unverifiable", never a lying Good.
  • Liquidity — total liquidity, liquidity-vs-FDV ratio, pair age, socials presence (DexScreener).
  • Deployer — real dev EOA (the Launched event topic in era 1; the pool-Initialize tx sender in era 2 — the explorer's contract creator is the factory either way), wallet age, explorer scam label, and serial-launch history (factory logs in era 1; the deployer's launch-selector txs to the launchpad in era 2, floor-honest when paginated).
  • Copycats — same-symbol impersonator tokens elsewhere on the chain.

Findings fold into a 0-100 score (deduction model with hard-fail caps: honeypot or unverified/self-destructed caps the score) and a verdictAVOID / HIGH_RISK / CAUTION / FAIR / LOW_RISK.

Chain facts (era-1 addresses verified live 2026-07-10; era-2 verified live 2026-07-13)

| | | |---|---| | Chain id | 4663 | | Stack | Arbitrum Nitro (Orbit "Dedicated Blockchain"), settles to Ethereum L1 | | RPC | https://rpc.mainnet.chain.robinhood.com (supports eth_call state overrides; no debug_traceCall) | | Explorer | https://robinhoodchain.blockscout.com (Blockscout API v2, no auth) | | Market data | DexScreener, chain slug robinhood | | Noxa launch factory (era 1, dead ~block 6.88M) | 0xD9eC2db5f3D1b236843925949fe5bd8a3836FCcB | | Launchpad (era 2, unverified, event-silent) | 0xF193EDe778a92dc37CB450A1eF1565Ed1e8b7964 (from block 7,481,853; selectors: launch 0x68e79a41, buy 0xc1120e3d/0xf3f77a0e, LP withdraw 0xa0f7978d) | | Uniswap V4 PoolManager (singleton) | 0x8366a39CC670B4001A1121B8F6A443A643e40951 (from block 9,070) | | Uniswap V4 PositionManager | 0x58daEC3116AAe6d93017BAaeA7749052E8a04FA7 (ModifyLiquidity.salt == position NFT id) | | Uniswap v3 factory | 0x1f7d7550B1b028f7571E69A784071F0205FD2EfA | | WETH | 0x0Bd7D308f8E1639FAb988df18A8011f41EAcAD73 |

Override the RPC/explorer via HOODWATCH_RPC_URL / HOODWATCH_BLOCKSCOUT; HOODWATCH_OUT sets the default report directory and HOODWATCH_PORT the dashboard port.

For agents

Every command supports --json and returns the same AuditResult shape the library exports. The report is deterministic and self-describing (score, verdict, flags[] with machine ids + severities, and per-section detail under sections). Use audit --json for a single token, scan --json to enumerate new launches, watch --json to batch-audit them. Each AuditResult also carries a rokhaUrl deep link (https://rokha.ai/?app=hoodwatch&token=<addr>) that opens the same audit in Rokha's APP view — act on the JSON, hand a human the UI.

Known limitations (honest)

  • Sell simulation tests a transfer toward the pool, not a full router swap — catches transfer-blocking, blacklist-all, and fee-on-transfer honeypots; a full buy→sell swap sim is a documented v2.
  • Same-block bundles are reported as suspected — the EVM has no Jito-style bundle oracle, so same-block + adjacent tx index + common funder is the strongest available signal, never proof.
  • Cluster coverage is budget-bounded (funder lookups, transfer-scan windows) and says so: a partial scope means the numbers are floors, not a clean bill.
  • No external cross-chain reputation feed — deployer history covers this chain's launchpads only.
  • Era-2 LP is pullable by design unless the position NFT is burned — a "not pulled yet" state is not safety, and DexScreener liquidity/volume can trail a pull by hours (Hoodwatch reads the chain, not the aggregator, for the verdict).
  • The era-2 launchpad is unverified and every token's bytecode is caller-supplied — the contract scan and sell-sim are the only defenses against per-token custom logic.
  • These third-party contracts MOVE. The Noxa era ended silently (its factory reverts every launch while the chain stays busy) — if scan goes quiet while DexScreener shows fresh pairs, re-verify the addresses in src/config.rs against the live chain before trusting any "no launches" answer.

Not financial advice

Hoodwatch surfaces on-chain risk signals. It cannot prove a token is safe. Always do your own research.

MIT © aetherBytes