Disclaimer

Last updated: 12 May 2026

Read this carefully before you submit a scan, read a report, or rely on any output of xcactus Scan. By using xcactus Scan or any report it generates, you confirm that you have read, understood, and accepted the disclaimers below, in addition to the Terms of Use and the Privacy Policy.

What xcactus Scan is

xcactus Scan is an automated, AI-assisted, point-in-time transparency screening tool for ERC-20 tokens and similar smart contracts on EVM-compatible blockchains. You submit a contract address and a network; the tool inspects public on-chain evidence (bytecode, source verification, ownership, access control, proxy structure, holder distribution, DEX liquidity, fund flow, and outputs of third-party static analysers such as Slither, Mythril, Aderyn, and Semgrep); a PDF report is generated and emailed to you.

The reports describe what is publicly observable at the moment of the scan. Nothing more.

What xcactus Scan is not

xcactus Scan is not a security audit. It is an automated technical transparency report based on public evidence. It does not perform manual code review, formal verification, threat modelling, fuzz testing, exploit simulation, business-logic analysis, or any other form of assurance engagement. References in the report to tools such as Slither, Mythril, Aderyn, or Semgrep do not change this. If you need a security audit, commission a Tier 2 / Tier 3 engagement separately - email scan@xcactus.com for an introduction.

xcactus Scan is not investment, financial, legal, tax, regulatory, or accounting advice. It is informational only. No part of the Service, no report, and no verdict label constitutes (a) an "investment recommendation" within the meaning of art. 3(1)(34)-(35) of Regulation (EU) 596/2014 (Market Abuse Regulation) or Commission Delegated Regulation (EU) 2016/958, or (b) any other regulated financial service.

xcactus Scan is not a MiCA-regulated deliverable. xcactus is not a Crypto-Asset Service Provider (CASP) under Regulation (EU) 2023/1114 (MiCA); the Service is not a crypto-asset service; no report is a MiCA white paper or any other MiCA-regulated document.

xcactus Scan is not a guarantee. We do not represent or warrant that any token, contract, project, team, or platform is safe, secure, lawful, legitimate, solvent, non-fraudulent, free of vulnerabilities, free of malicious code, free of admin abuse, MiCA-compliant, registered, audited, accurately described, or suitable for any purpose.

xcactus Scan is not a recommendation. The Service does not recommend buying, selling, holding, staking, providing liquidity for, bridging, voting on, listing, delisting, integrating, or avoiding any token, project, protocol, contract, wallet, or platform.

Verdict labels are not ratings

Every report contains two verdict labels:

  • A subject verdict - one of HIGH / MIXED / LIMITED / LOW / INSUFFICIENT.
  • An analysis verdict - one of COMPLETE / PARTIAL / SPARSE / INSUFFICIENT.

These labels describe only the transparency surface of public data observable at scan time. They are not ratings of security, quality, creditworthiness, investment merit, regulatory status, or legitimacy. They do not rank the subject token against any population of other tokens. They are not "buy / hold / sell" signals.

A "HIGH" subject verdict means: enough public evidence was available to evaluate every applicable transparency axis, and no axis hard-failed. It does not mean the token is good, safe, profitable, or worth buying. A "LOW" subject verdict means: at least one transparency axis hard-failed at scan time. It does not mean the token is fraudulent, malicious, or worth avoiding.

Similarly, per-finding severity labels (Critical / High / Medium / Low / Info) describe the technical exposure of an individual finding within the report. They are derived from a CVSS-inspired matrix run automatically by the pipeline. They are not, and must not be presented as, an opinion of a qualified security auditor.

xcactus reserves the right to rename, revise, or methodologically update any verdict label at any time, without affecting reports already issued.

Scope limitations you accept

By using a report, you acknowledge that:

  • Holder analysis is window-bounded. The pipeline inspects up to a capped number of holder addresses; conclusions about distribution are method-bounded, not population-bounded.
  • Fund-flow analysis is hop-1 only, unless a particular report expressly states otherwise.
  • For proxy contracts, analysis of the proxy stub may differ materially from analysis of the implementation contract, and the implementation may be replaced by privileged actors after the scan.
  • Static analysers detect known patterns only. A result of "0 findings" does not mean the contract is secure or safe.
  • Third-party data sources (block explorers, RPC providers, DEX aggregators, indexers, sanctions lists, allowlists) may be incomplete, delayed, inaccurate, or manipulated. xcactus is not responsible for their content or availability.
  • AI-generated narrative in a report may contain errors, omissions, or hallucinations. It is generated automatically and is not reviewed by a human auditor before delivery. It must not be relied upon as a sole source of truth.
  • Reports are point-in-time. Subsequent on-chain changes - including upgrades, ownership transfers, role grants or revocations, liquidity additions or removals, mints or burns, exploit events, regulatory action, listings, or delistings - are out of scope. xcactus has no duty to update, supplement, withdraw, or republish any report.
  • Off-chain risks are out of scope. Private-key custody, deployment supply-chain compromise, compromised front-ends, oracle manipulation, governance capture, rug-pull intent, team integrity, and any matter not directly observable on-chain are not addressed.

Third-party brand references

Reports may reference third-party projects, protocols, tools, exchanges, or wallets - for example USDC, USDT, SHIB, Uniswap, Curve, Balancer, ShibaSwap, Gnosis Safe, Etherscan, Slither, Mythril, Aderyn, Semgrep, Moralis, Dexscreener. These references are derived from on-chain metadata, the scanned token's interactions, or industry-standard allowlists. They are factual identifications only. They do not imply any relationship, sponsorship, endorsement, affiliation, partnership, integration, or approval between xcactus and the referenced third party, nor between you and the referenced third party. All such marks remain the property of their respective owners.

No relationship; no duty of care to third parties

Using xcactus Scan does not create an attorney-client, advisor-client, broker-client, fiduciary, agency, or similar relationship between you and xcactus. xcactus is not retained by the issuer or team of any token referenced in a report unless a separate written engagement is signed.

xcactus owes no duty of care to any third party who obtains or sees a report and is not the original recipient who submitted the scan. If you share a report with someone else, that person reads it at their own risk and without any claim against xcactus.

You are responsible for your own decisions

You are solely responsible for any decision, action, or omission you undertake on the basis of xcactus Scan, any report, or any verdict label. You must perform your own independent due diligence and obtain qualified legal, tax, financial, and security advice where appropriate.

Restricted jurisdictions

xcactus Scan is not offered to any person located in, ordinarily resident in, or accessing the Service from Iran, North Korea, Cuba, Syria, the Russian Federation, Belarus, or the Crimea, Donetsk, Luhansk, Zaporizhzhia or Kherson regions of Ukraine, or any other territory subject to comprehensive sanctions of OFAC, the EU, the UK, or the UN. See Section 4 of the Terms of Use for full sanctions terms.

Mandatory consumer rights preserved

Nothing in this Disclaimer limits or excludes any mandatory right of a Consumer that cannot be excluded under the law of the Consumer's habitual residence (art. 6 Rome I), nor any liability that cannot be excluded under Polish law - in particular liability for damage caused intentionally (art. 473 § 2 of the Polish Civil Code). The full liability framework is set out in Section 11 of the Terms of Use.

Operator

xcactus spółka z ograniczoną odpowiedzialnością spółka komandytowa, Plac Andersa 7, 61-894 Poznań, Poland · KRS 0000302560 · NIP 9721177609 · REGON 300808810 · Contact: scan@xcactus.com