DeFi moves fast. New tokens launch every hour, and scammers have become increasingly sophisticated at mimicking legitimate projects. This checklist gives you a systematic framework for evaluating any token before investing — covering on-chain data, team verification, community signals, and smart contract security.
The 10-Point DeFi Security Checklist
1. Smart Contract Audit ✓ Critical
Verify that the project has a third-party audit from a reputable firm (CertiK, Hacken, Trail of Bits, OpenZeppelin, PeckShield). Check that all Critical and High findings are resolved. Confirm the audit was conducted on the deployed contract version, not a pre-deployment draft.
2. Verified Source Code ✓ Critical
The contract must be verified on Etherscan, BSCScan, or the relevant block explorer. Unverified contracts cannot be audited and should be treated as high risk. Check that the verified code matches the audit report's scope.
3. Liquidity Lock Status ✓ Critical
LP tokens must be locked for a minimum of 6 months (12+ months preferred) on a reputable locker like Unicrypt, Team.Finance, or PinkLock. Unlocked liquidity means the developer can drain the pool at any time.
4. Token Distribution
Check the top 10 holders on Etherscan. No single wallet (excluding the liquidity pool and burn address) should hold more than 10% of the supply. High concentration enables price manipulation and insider dumping.
5. Team Identity and Track Record
Verify the team's identities through LinkedIn, GitHub, and past projects. Anonymous teams are not automatically scams, but they carry higher risk. Search for the team's previous projects — repeat ruggers often reuse wallet addresses and social media patterns.
6. Vesting Schedule
Team and investor tokens should have a vesting schedule with a cliff period (typically 6–12 months) and gradual release. Immediate access to large token allocations creates strong sell pressure and rug pull incentives.
7. Trading Volume Authenticity
Analyze trading volume on DEXTools or DexScreener. Look for round-number trades, same-wallet buy/sell patterns, and volume spikes with no news catalyst. Wash trading inflates perceived interest and is a common manipulation tactic.
8. Community Authenticity
Check the Telegram and Discord for bot activity. Signs of fake communities include: identical messages posted at regular intervals, no organic conversation, and follower counts that grew overnight. Use tools like Telegram Analytics or Twitter Audit to check follower authenticity.
9. Whitepaper and Roadmap
A legitimate project has a detailed whitepaper explaining the technology, use case, and tokenomics. Vague whitepapers, copy-pasted content, or missing roadmaps are red flags. Check if past roadmap milestones were actually delivered.
10. Regulatory and Compliance Risk
Check if the project's associated wallets appear on OFAC sanctions lists or known illicit entity databases. For EU investors, check MiCA compliance status. Regulatory action can freeze assets or delist tokens from exchanges overnight.