Due Diligence Checklist: A 15-Point Framework for Evaluating New Tokens and Protocols
Crypto due diligence is the process of turning hype, charts, social media claims, tokenomics pages, on-chain activity, audits, liquidity data, and governance records into a repeatable decision framework. This 15-point TokenToolHub checklist helps you evaluate new tokens and protocols before buying, providing liquidity, joining an airdrop, staking, building on a protocol, or committing time as a contributor. The goal is not to predict every outcome. The goal is to identify what can be verified, what remains uncertain, what can break, and whether the risk is worth taking.
TL;DR
- A good due diligence process does not remove risk. It makes risk visible, comparable, and easier to manage.
- Start with the catastrophic checks first: contract control, upgradeability, admin keys, unlock cliffs, liquidity depth, and security posture.
- Every project claim should be verified against primary evidence: contracts, explorers, docs, audits, repositories, dashboards, governance records, and treasury wallets.
- Score each category from 0 to 5. Use weights for security, tokenomics, liquidity, traction, and operational controls if your strategy is risk-first.
- Do not increase size because price moved. Increase size only when evidence improves: shipping, adoption, security hardening, better liquidity, and sustainable fee growth.
- Map token unlocks before entering. Many avoidable losses come from ignoring supply cliffs and insider distribution.
- Verify who controls upgrades, pausing, treasury, emissions, oracles, and governance execution before trusting a protocol with meaningful value.
- Use the worksheet inside this guide to produce a final decision: enter, watchlist, or pass.
Due diligence does not tell you exactly what price will do tomorrow. It tells you whether the project’s risk stack is understandable. You are not trying to find certainty. You are trying to price uncertainty, avoid obvious landmines, and build a documented research process that improves over time.
This guide is educational and is not financial, legal, tax, investment, trading, custody, or security advice. Crypto assets are volatile and risky. Always verify information independently and consult qualified professionals where appropriate.
Why a rigorous crypto due diligence process matters
Crypto markets reward speed, but they punish sloppy reasoning. A token can trend overnight, a protocol can announce a new integration before users understand the risk, and a social media thread can turn weak assumptions into a temporary narrative. That environment creates pressure. People buy because others are buying. They provide liquidity because the APR looks high. They stake because a dashboard says safe. They join a token launch because the chart is moving.
A due diligence checklist slows the decision down just enough to separate evidence from momentum. It forces the same questions every time: what is the product, who controls it, how does the token work, when does supply unlock, where does liquidity live, what can admins change, what audits exist, whether usage is organic, and what would make the thesis wrong.
Strong DD produces three outcomes: clarity, comparability, and accountability. Clarity means you understand what the protocol actually does and what assumptions must hold. Comparability means you can evaluate two protocols using the same structure. Accountability means your decision is documented so you can review it later and learn from it.
How to use this 15-point framework
You can use this framework as a solo investor, a research analyst, a DAO contributor, a community moderator, a token screener, or a builder evaluating whether to integrate with another protocol. The key is consistency. Do not change the standard just because the narrative is exciting.
- Scope the research: define the asset, chain, protocol, contract addresses, and the action you are considering.
- Timebox the first pass: spend 60 to 120 minutes collecting evidence and checking catastrophic risks.
- Verify externally: compare claims in docs with contracts, explorers, dashboards, audits, repositories, and governance records.
- Score consistently: use a 0 to 5 score for each category, then weight security, tokenomics, liquidity, and traction if needed.
- Document the decision: write the final outcome, top risks, evidence links, monitoring triggers, and conditions that would change your mind.
Two habits prevent a large share of avoidable crypto losses: verify who can upgrade or control the system, and map when supply unlocks. If either is unclear, the asset deserves a lower score or no exposure.
Field workflow: running DD in 60 to 120 minutes
Start with the highest-risk filters. If a project fails the catastrophic checks, do not waste time on narrative, branding, or community hype. A good workflow gets to the dangerous questions first.
60 to 120 minute DD workflow:
1. Identify what you are evaluating
Token, protocol, network, DApp, infrastructure layer, DAO, or all of the above.
2. Gather minimum evidence
Docs, contract addresses, audits, tokenomics, unlocks, liquidity venues, treasury wallets, social channels.
3. Run fatal-risk filters
Upgrade admin, token owner, pauser, blacklist, mint authority, unlock cliffs, thin liquidity, no audits.
4. Score the 15 categories
Use 0 to 5 per section. Add weights if your strategy is risk-first.
5. Decide
Pass, watchlist, small staged entry, build/integrate, or monitor only.
6. Write monitoring triggers
Unlocks, liquidity drops, admin upgrades, governance changes, fee collapse, incidents, team changes.
The 15-point due diligence checklist
1. Problem, market, and value proposition
A token or protocol must solve a real problem for a real user. The problem may be faster settlement, cheaper transactions, better liquidity, easier developer tooling, safer custody, privacy, identity, compute, stablecoin access, or better on-chain coordination. A weak project starts with vague language. A stronger project can explain the user, the pain, the current alternative, and why its product is meaningfully better.
- Look for: clear user segment, real workflow, measurable pain point, and evidence of demand.
- Verify: use the product, read docs, compare competitors, and check whether on-chain activity matches the claimed use case.
- Red flags: buzzwords without users, “AI + Web3” with no workflow, fake network effects, usage that exists only during incentives.
Score: 0 to 5 based on how clear and verifiable the problem-solution fit is.
2. Team, contributors, and governance maturity
Execution risk is often more dangerous than competition risk. A competent team can adapt when markets change. A weak team can fail even with a strong narrative. For DAOs, contributor quality, governance process, signer discipline, and transparency matter as much as founder reputation.
- Look for: relevant experience, public track record, regular updates, accountable governance, and clear roles.
- Verify: check GitHub activity, governance proposals, public talks, contributor history, multisig structure, and prior project outcomes.
- Red flags: anonymous signers with unilateral control, evasive answers, hostile moderation, unclear accountability, or no execution history.
Score: 0 to 5 based on team competence, transparency, and governance credibility.
3. Token utility and economic role
A token should do real work. It may secure a network, pay for scarce resources, coordinate governance, provide access, align incentives, or support fee sinks. Cosmetic utility usually fails once emissions slow or the initial narrative fades.
- Look for: required usage, fee sinks, staking or slashing role, governance with guardrails, and direct connection to protocol demand.
- Verify: inspect contracts, payment flows, staking logic, fee logic, and whether the product can function without the token.
- Red flags: governance-only token with no value path, optional utility, circular rewards, or users paid in tokens without durable demand.
Score: 0 to 5 based on whether the token role is essential, defensible, and visible on-chain.
4. Tokenomics: supply, emissions, and distribution
Tokenomics determines who owns supply, when supply unlocks, how emissions are distributed, and whether incentives create real demand or temporary extraction. This is one of the most important sections because bad tokenomics can overwhelm a good product.
- Look for: supply model, allocation, vesting, cliffs, emissions, FDV, circulating supply growth, and insider unlocks.
- Verify: compare docs against token holders, vesting contracts, unlock calendars, treasury wallets, and emissions contracts.
- Red flags: high insider allocation, short cliffs, unclear max supply, unilateral emissions changes, or “community allocation” with no distribution details.
Score: 0 to 5 based on supply transparency, unlock risk, and incentive sustainability.
5. Treasury health and runway
Protocol survival depends on treasury quality. A treasury dominated by the native token is reflexive. When the token falls, runway shrinks. When runway shrinks, shipping slows. When shipping slows, confidence weakens. Strong projects diversify treasury assets and report spending clearly.
- Look for: stablecoin runway, ETH or BTC reserves, monthly burn, revenue, treasury reports, grants policy, and spending governance.
- Verify: track treasury wallets, compare balances over time, read governance spending proposals, and inspect multisig transactions.
- Red flags: native-token-heavy treasury, no reporting, short runway, vague strategic payments, or treasury controlled by opaque signers.
Score: 0 to 5 based on treasury resilience and reporting discipline.
6. Roadmap, milestones, and delivery track record
Promises are cheap. Delivered milestones are expensive. A credible project can show deployments, releases, documentation, audits, integrations, bug fixes, changelogs, and usage improvements tied to product progress.
- Look for: realistic milestones, verifiable shipping, clean documentation, strong SDKs, public changelogs, and post-release iteration.
- Verify: compare roadmap posts against GitHub, deploys, docs, audits, on-chain contracts, and actual user-facing releases.
- Red flags: perpetual “coming soon,” abandoned repos, broken docs, announcements without usable product, and launch theater.
Score: 0 to 5 based on consistent delivery and credible execution history.
7. Technology architecture and audit posture
Technology risk compounds across smart contracts, oracles, bridges, sequencers, data availability layers, admin controls, and integrations. The question is not only whether the project has an audit. The question is whether the current deployed system has been reviewed, what dependencies exist, and how the system fails.
- Look for: open source code, recent audits, bug bounty, remediation notes, dependency mapping, and upgrade control disclosure.
- Verify: read audit scope, compare audit dates to current deployments, inspect proxy admins, and review external dependency risks.
- Red flags: unaudited TVL, single EOA upgrade control, opaque oracles, no bounty, or audits that no longer match live code.
Score: 0 to 5 based on technical guarantees, audit quality, and dependency clarity.
8. Security, keys, and operational controls
Many losses come from operational failure, not code bugs alone. Compromised keys, rushed upgrades, weak multisigs, missing timelocks, and poor incident response can destroy user trust. Strong operational security includes key management, monitoring, circuit breakers, and clear emergency procedures.
- Look for: independent multisig signers, hardware wallet use, timelocks, monitored admin actions, circuit breakers, and published incident plans.
- Verify: check multisig threshold, signer quality, timelock contracts, pause functions, role assignments, and admin event history.
- Red flags: single deployer key, bypassable timelock, privileged EOA functions, hidden rescue functions, or no public incident process.
Score: 0 to 5 based on operational safeguards and enforcement.
9. On-chain traction and real usage
Separate real usage from incentive farming. Sustainable traction means users continue because the product is useful, not only because emissions are profitable. Usage that disappears when rewards end is not durable product-market fit.
- Look for: active wallets, repeat usage, retention, fees, volume quality, TVL stickiness, and organic behavior after incentives taper.
- Verify: compare 7-day, 30-day, and 90-day activity, cohort retention, fee capture, and sybil patterns.
- Red flags: usage collapse after rewards, circular TVL, low fees despite high volume, fake wallets, and repetitive farming behavior.
Score: 0 to 5 based on organic and sustainable usage.
10. Liquidity, market microstructure, and exchange risk
Liquidity determines whether you can enter and exit without severe slippage. A token can look strong on a chart while being thin at real size. Liquidity quality includes DEX depth, CEX depth, LP ownership, market maker behavior, derivatives exposure, borrow markets, and liquidation risk.
- Look for: 1 to 2 percent depth, top pools, venue concentration, LP token holders, reward dependency, funding rates, open interest, and borrow usage.
- Verify: check DEX pools, pool ownership, CEX order books, derivatives data, unlock periods, and liquidity changes over time.
- Red flags: shallow DEX depth, suspicious CEX volume, insider-controlled LP, liquidity that disappears when incentives pause.
Score: 0 to 5 based on liquidity resilience and authenticity.
11. Legal, regulatory, and jurisdictional considerations
Regulatory risk can affect listings, access, treasury operations, partnerships, user onboarding, and token value. You do not need to act as a lawyer, but you should evaluate whether the project communicates responsibly and understands its own jurisdictional exposure.
- Look for: responsible disclosures, terms, geofencing where relevant, legal structure, risk language, and restrained marketing.
- Verify: review official terms, token distribution language, governance structure, public statements, and whether retail claims imply guaranteed returns.
- Red flags: aggressive yield promises, retroactive utility claims, no disclosures, unclear accountability, or speculative marketing disguised as utility.
Score: 0 to 5 based on compliance realism and disclosure quality.
12. Community, communications, and reputation
Community can strengthen distribution, support users, and improve feedback loops. It can also be manufactured. Strong communities tolerate hard questions. Weak communities delete criticism and replace research with hype.
- Look for: factual updates, clear governance discussion, quality moderation, independent tools, public dashboards, and contributor pathways.
- Verify: inspect Discord, Telegram, X, forums, governance boards, community dashboards, and how the team handles criticism.
- Red flags: bot followers, fake engagement, hostile moderation, shilling culture, and refusal to answer tokenomics or security questions.
Score: 0 to 5 based on authenticity, communication quality, and reputation resilience.
13. Partnerships, integrations, and ecosystem fit
“Partnership” is one of the most abused words in crypto. A real integration should create technical or economic value. A logo wall without evidence does not count. Look for deployed contracts, docs, SDK references, public pull requests, usage impact, or measurable distribution.
- Look for: live integrations, implementation guides, partner credibility, ecosystem fit, and measurable usage from integrations.
- Verify: check docs, contract calls, GitHub references, co-marketing details, dashboards, and actual usage after announcement.
- Red flags: logo walls, vague MOUs, no shipped integration, partner announcements used only to pump price.
Score: 0 to 5 based on whether integrations create real utility or distribution.
14. Competitive moat and defensibility
In open-source crypto, defensibility is difficult. A moat may come from liquidity, network effects, brand trust, developer ecosystem, data advantages, regulatory positioning, or deep integrations. If competitors can copy the feature and outspend incentives, the moat is weak.
- Look for: switching costs, developer adoption, liquidity depth, protocol integrations, brand trust, category leadership, and distribution advantage.
- Verify: compare competitors, user retention, developer activity, routing share, category share, and integration dependency.
- Red flags: narrative-only moat, copied features, no durable token sink, demand dependent on emissions.
Score: 0 to 5 based on how hard the protocol is to copy and displace.
15. Risk map, scenarios, and catalysts
Final DD should end with scenarios. You need a bull case, base case, bear case, stop conditions, and monitoring triggers. This prevents emotional decision-making when price moves quickly.
- Bull case: what catalysts must happen, such as shipping, integrations, fee growth, chain expansion, or sticky users?
- Base case: what steady-state metrics justify holding, such as fees, retention, TVL quality, usage, or liquidity depth?
- Bear case: what breaks, such as exploit, unlock sell-off, regulatory issue, governance capture, competitor leapfrog, or liquidity withdrawal?
- Stop conditions: what pre-committed rule makes you exit, reduce exposure, hedge, or return to watchlist?
Score: 0 to 5 based on how transparent the risks are and whether a credible monitoring plan exists.
Scoring rubric and weights
Use a 0 to 5 rubric so your decisions are comparable across projects. Scores should reflect evidence, not excitement. If a category cannot be verified, it should not receive a high score.
| Score | Meaning | Interpretation |
|---|---|---|
| 0 | Absent, misleading, or critical failure. | Immediate pass unless treating it as pure speculation. |
| 1 | Very weak evidence and major red flags. | High risk. Avoid meaningful exposure. |
| 2 | Partial information and unresolved issues. | Watch only unless position size is tiny. |
| 3 | Adequate with reasonable trade-offs. | Possible watchlist or small staged entry. |
| 4 | Strong execution and transparency. | Higher confidence, still monitor risks. |
| 5 | Best-in-class proof and resilience. | Rare. Requires clear evidence across sources. |
Suggested risk-first weights
- Tokenomics: x1.5
- Technology and audits: x1.5
- Security and operational controls: x1.5
- On-chain traction: x1.25
- Liquidity and market microstructure: x1.25
- Risk map and scenarios: x1.25
- Community and partnerships: lower weight unless your strategy depends on narrative distribution.
A weak score or a single deal-breaker should override social hype. As a working rule: under 45 out of 75 weighted is a pass, 45 to 55 is watchlist, and 55+ with no deal-breakers can justify deeper research or a small staged entry.
Due diligence worksheet template
Copy this worksheet into your research notebook, Google Docs, Notion, or internal dashboard. Fill one row per project and attach evidence links. Your DD library becomes more valuable over time because it lets you compare decisions against outcomes.
| Category | Evidence and links | Red flags | Score | Weight | Weighted |
|---|---|---|---|---|---|
| Problem and market | Docs, usage, competitors | Buzzwords, weak users | 0 to 5 | 1.0 | |
| Team and governance | Founders, proposals, signer structure | Opaque control | 0 to 5 | 1.0 | |
| Token utility | Contracts, fee flows, staking role | Cosmetic utility | 0 to 5 | 1.0 | |
| Tokenomics | Supply, unlocks, holders | Insider cliffs | 0 to 5 | 1.5 | |
| Treasury | Wallets, reports, runway | Native-token-heavy | 0 to 5 | 1.0 | |
| Roadmap | Deploys, GitHub, changelogs | Coming soon forever | 0 to 5 | 1.0 | |
| Tech and audits | Audits, code, dependencies | Unaudited TVL | 0 to 5 | 1.5 | |
| Security and ops | Multisig, timelock, monitoring | Single signer | 0 to 5 | 1.5 | |
| On-chain traction | DAW, fees, retention, TVL quality | Reward-only usage | 0 to 5 | 1.25 | |
| Liquidity | DEX depth, CEX books, LP ownership | Thin exit liquidity | 0 to 5 | 1.25 | |
| Legal | Terms, disclosures, marketing posture | Guaranteed return language | 0 to 5 | 1.0 | |
| Community | Forums, moderation, engagement quality | Bots and censorship | 0 to 5 | 0.75 | |
| Partnerships | Live integrations, docs, usage impact | Logo wall only | 0 to 5 | 0.75 | |
| Moat | Switching costs, liquidity, developer adoption | Easy clone | 0 to 5 | 1.0 | |
| Risk scenarios | Bull, base, bear, stop conditions | No monitoring plan | 0 to 5 | 1.25 | |
| Total | Final decision: enter, watchlist, or pass | / 75 | |||
Decision summary template:
Project:
Token:
Chain:
Contract address:
Action considered:
Decision:
Enter / Watchlist / Pass
Position sizing rule:
Maximum exposure:
Entry plan:
Invalidation condition:
Top 3 risks:
1.
2.
3.
Evidence links:
Docs:
Audits:
Contracts:
Dashboards:
Governance:
Unlock schedule:
Monitoring triggers:
- Unlock date
- Liquidity depth threshold
- Admin upgrade event
- Fee or usage collapse
- Governance proposal
- Security incident
Red flags and deal-breakers
Deal-breakers are conditions that should override hype. A token may still pump with deal-breakers, but that does not make it a disciplined investment. It makes it speculation. Label it honestly.
Immediate deal-breakers
- Security: single-signer control over upgradeable contracts, no audits for meaningful TVL, undisclosed admin functions.
- Tokenomics: high insider allocation, early cliffs, undefined supply, emissions that overwhelm demand.
- Liquidity: thin DEX depth, artificial CEX volume, insider-controlled LP, or no clear exit path.
- Governance: rubber-stamp voting, treasury raids disguised as grants, hidden multisig control.
- Legal: aggressive retail marketing, guaranteed return language, no disclosures, unclear accountability.
- Communication: deleted criticism, fake social proof, hostile moderation, no answers to serious security questions.
Position sizing, risk controls, and monitoring
Even high-scoring assets can fail. Audits miss bugs. Teams mismanage treasuries. Regulations change. Liquidity disappears. Unlocks overwhelm demand. Position sizing is the control that keeps one wrong thesis from destroying your portfolio.
- Max loss per idea: keep early exposure small until conviction is earned by evidence.
- Staged entries: split entries across milestones instead of buying all at once.
- Unlock awareness: reduce or hedge exposure before major supply cliffs if liquidity is thin.
- LP caution: impermanent loss can exceed fee yield in volatile pairs.
- Alerting: set alerts for TVL drops, fee compression, liquidity withdrawal, multisig changes, and admin upgrades.
Mechanisms over memes. Process over impulse. If your thesis depends on everyone staying excited forever, the thesis is fragile.
Recommended research tool stack
A good due diligence process is mostly thinking, verification, and documentation. Tools help reduce friction, but tools should never replace judgment. Use them as inputs, not as automatic decisions.
On-chain research and investor workflow
On-chain analytics can help validate wallet behavior, smart money movement, flows, retention, and protocol usage. For wallet labeling and smart money tracking, you can explore Nansen via TokenToolHub. For staking-related workflows, you can also review Nansen staking.
Quant and strategy testing
If you use systematic strategies, backtesting helps test whether an idea survives more than one market regime. You can explore QuantConnect for research and strategy development. For AI-driven market insight tools, you can review Tickeron via TokenToolHub.
Portfolio tracking and tax reporting
Clean records matter. Crypto swaps, transfers, staking rewards, LP positions, and on-chain activity can become difficult to reconstruct later. Options include CoinTracking, CoinLedger, Koinly, and Coinpanda.
Automation and execution
Automation can improve discipline, but it can also automate mistakes. If your workflow includes rule-based execution, you can review Coinrule. Always define risk limits before automation goes live.
Swaps and cross-chain execution
Execution quality matters during volatile markets. For swap routes, you can review ChangeNOW. Always verify chain, address, token, and fees before confirming any cross-chain movement.
Hardware wallets and key security
If you hold meaningful value, use hardware wallets or multisig for vault funds. Options to evaluate include Ledger, Trezor, SafePal, ELLIPAL, Keystone, OneKey, NGRAVE, SecuX, and SecuX discount.
Infrastructure for builders and researchers
If you build blockchain tooling or research infrastructure, node and compute reliability matter. You can evaluate Chainstack for blockchain infrastructure and Runpod for flexible compute workloads.
Privacy and protection tools
Operational security matters for researchers, builders, and investors. Options to review include NordVPN, NordProtect, Proton VPN, Proton, and PureVPN.
Exchange and trading platforms
Exchanges can help with liquidity and execution, but they also create counterparty and compliance risk. Options to evaluate include Bitget and Poloniex. Do not store long-term holdings on exchanges.
Screeners and signal tools
Screeners can help surface opportunities, but they should not replace DD. You can review AltFins as one screening option. Treat screeners as filters, not final decisions.
Verdict: due diligence is your edge
A rigorous due diligence process is one of the few repeatable advantages in crypto. It does not guarantee profit. It does not remove volatility. It does not make every decision easy. But it helps you avoid preventable losses, identify hidden control risks, compare opportunities, and size exposure based on evidence instead of emotion.
The strongest researchers are not the people who predict every move. They are the people who know what they own, understand what can break, and document why they made each decision. Over time, that process compounds.
Use this 15-point checklist before the next token you research. Fill the worksheet. Save the evidence. Write the risks. Set monitoring triggers. Then revisit your notes after the market moves. That feedback loop is where real research skill is built.
Use a repeatable process before committing capital
Verify contracts, tokenomics, unlocks, liquidity, security posture, admin controls, and real traction before buying, staking, providing liquidity, or joining a protocol.
FAQs
What is crypto due diligence?
Crypto due diligence is the process of evaluating a token or protocol using verifiable evidence such as contracts, tokenomics, unlocks, liquidity, audits, treasury wallets, governance records, and on-chain activity before making a decision.
What should I check first before buying a new token?
Start with contract control, upgradeability, owner privileges, mint authority, blacklist functions, unlock schedule, holder distribution, liquidity depth, and whether the token has verified source code.
Why do token unlocks matter?
Unlocks matter because new supply can create seller pressure, especially if insiders, investors, or team allocations unlock into thin liquidity. Always map the next 3 to 6 months of major cliffs.
Are audits enough to trust a protocol?
No. Audits help, but users also need to check whether the deployed code matches the audit scope, whether findings were fixed, whether contracts are upgradeable, who controls upgrades, and whether a bug bounty exists.
How should I score a project?
Use a 0 to 5 score per category. Then apply weights based on your strategy. Risk-first users should weight tokenomics, security, operations, liquidity, and on-chain traction more heavily.
What is an immediate crypto deal-breaker?
Examples include single-signer control over upgradeable contracts, hidden admin powers, no verified code, unclear supply, high insider unlocks, thin liquidity, no audit for meaningful TVL, and hostile communication around security questions.
Should I use tools for crypto research?
Tools can help with wallets, analytics, tax records, execution, and security, but tools do not replace judgment. Use tools as inputs to a documented research process.
When should I put a token on watchlist instead of buying?
Use watchlist when the project is credible but still has major uncertainty, such as pending audits, upcoming unlocks, unclear liquidity, immature governance, or early traction that has not survived beyond incentives.
Final reminder: the best research process does not chase every narrative. It verifies mechanisms, maps risks, checks the code, watches liquidity, tracks unlocks, and documents the decision. Evidence over narrative. Mechanisms over memes. Process over impulse. Check first, then decide.