DeFi Token Red Flags

When evaluating a project, there’s more than 100 ways for devious project insiders to rug you. Here’s some tips on how to spot projects for what they really are.

Disclaimer: This list is by no means definitive — there are far more ways for people to steal your money in DeFi than I can ever hope to catalogue, but this list is a start.

Red flags are areas where caution may be warranted. A project without a red flag doesn’t necessarily make it safe, the same way that a project with a red flag doesn’t necessarily make it unsafe. Risk cannot be defined by an algorithm or a heuristic. Use your own best judgment and evaluate projects at your own risk.

Red Flags During Launch

When a token launches, that’s where most insiders try to get ahead of the regular investors — so they can dump on them. How do they do it? Let’s dig in:

🚩No presale. A token that launches without a presale allows for people to come on a “first come, first serve” basis which, at first glance, sounds fair — but in reality it’s anything but.

Why? Launches without presales typically get botted to hell and back — meaning that inhumanly-fast bots can acquire tokens for super cheap within the first few seconds of a launch, giving them huge bags for pennies on the dollar that can be used to crash the project just as it’s trying to find its legs. Sometimes shady project developers will even bot their own launches.

A presale is how you avoid bots: The goal is to get in front of the bots, not behind them. Without a presale, you may see the chart jump 1,000%+ in the few minutes (to the benefit of the bots, most likely), creating buyer FOMO — only to have everything crash hard when the bots liquidate their insane earnings off the backs of everyone else. Not cool.

An army of bots attacking a token that is launched without a presale. Credit: Midjourney AI

Warning: Just because a token is launched as a public presale, that doesn’t necessarily guarantee that it’s safe. A public presale is designed to set a token launch up for success by giving it healthy liquidity, a fair and equitable buy-in price, and a well-diversified list of smaller holders. However, many public presales are set up maliciously. (More on that later.)

🚩Private sales. Insiders sometimes try to accumulate a large number of tokens before the general public by using private sales or whitelisting before they launch a public presale.

This is extraordinarily problematic as it creates large whales that will be a thorn in the side of the project for months — if not years. Large whales can sell down without warning and, if they dump their entire bag, can drain a shocking amount of value from the liquidity pool.

Crypto axiom: Whales WILL dump. It’s just a matter of time. And it’s always at the worst of times. Hope for the best, plan for the worst.

🚩Insider allocations. Holding back a percentage of tokens (often justified as being for “marketing” or “development”) gives an opportunity for insiders to dump on a project with zero initial buy-in risk.

Let’s do everyone a favor and stop accepting insider allocations (especially those that are not locked behind a time-lock or multi-sig). Ideally, 100% of minted tokens should be offered up for public presale. If project insiders believe in the token so badly, they’re welcome to buy at presale prices along with everyone else.

A shadowy insider holding large bags that will be used to dump on a project. Credit: Midjourney AI

🚩Stealth launched. Token presales that are not broadly communicated are sometimes used by insiders to gobble up a large percentage of tokens.

Be extraordinarily wary of tokens that are overly secretive and try to limit knowledge of their presale to insiders.

Want to know a secret? Some shady developers believe that their reputation and influence will attract a lot of investors — insomuch that they’ll secretly create a token, stealth launch it, hoard presale wallets, then announce that they’re the developers (remember: they do this after they have gobbled up a ton of presale wallets).

🚩Surprise launched. Not telling people when you’re going to launch the token is an enormous red flag. This allows for insiders to have a heads-up on the exact time on the launch and gain a material advantage over the general public.

🚩Low/no soft/hard-cap. A tiny presale limit allows for insiders to bot or otherwise swarm the majority of presale wallets for very little cost. “Selling out a presale in 30 seconds” sounds great when you have a large hard-cap, but it’s a huge red flag when there’s a tiny hard-cap as insiders will likely own most of the initial token distribution.

🚩High number of burned tokens. Some projects try to mask top-heavy holders by putting the focus on total supply, not circulating supply. Projects with more than 50% of tokens burned may be trying to play games with the holders list.

For example, if you have a wallet with 5% of the total supply, that doesn’t freak people out that much. But if you were to burn 50% of the total supply, 5% of the total supply is actually 10% of all tokens in circulation.

As an aside: You may disagree with me, but sending tokens to a burn wallet is a bit of a gimmick. You could simply have a burn() function on the token contract that just deletes the tokens from existence and reduces the total supply directly, but anywho, I digress.

Rare image of tokens burning in the burn wallet. Credit: Midjourney AI

🚩Low liquidity allocation. With low liquidity raised during a presale, the asset will be extraordinarily volatile and only a few presale wallets are required to sink the price. High liquidity, however, helps to maintain a healthy price floor — even in the event of a big sell-off during launch. All of a presale’s raised value should be paired with liquidity.

Red Flags With Liquidity

The classical definition of a “rug pull” is pulling out the rug of liquidity from a project. But there are more quieter, insidious ways to rug a project’s holders by manipulating liquidity:

🚩Unlocked liquidity. I cannot stress enough the danger of unlocked liquidity. When liquidity is not locked properly away, it is extraordinarily dangerous. LP tokens — which represent a percentage of underlying liquidity — should be burned, time-locked, or staged behind a multi-signature safe for a project to maintain a basic level of trust.

If LP tokens are locked behind a time-lock, make sure it’s for a lengthy period of time — such as a year (or longer).

If LP tokens are locked behind a multi-signature safe, make sure that the signers of the wallet belong to trusted individuals (preferably publicly known or “doxxed”).

(Not so) fun fact: Even if a wallet owns like 5–10% of LP tokens, it’s still potentially dangerous. That wallet can access tokens from the underlying liquidity pairing. These tokens, once extracted from the liquidity pool, could potentially be used to dump on the chart if the amount is sizeable.

🚩Low liquidity. Too little liquidity as a percent of market cap introduces volatility, the silent killer. With high volatility, a single top holder can drain almost all the value from the liquidity pool in one big sell.

While the exact amount is up for debate, a good rule-of-thumb is for token projects to maintain at least 10% liquidity of market cap. Anything under 5% is very worrisome. 2.5% or less is basically a ticking time bomb — one big whale sell and the price could dip 80% or more.

A visual representation of a token with low liquidity. Credit: Midjourney AI

🚩Withholding liquidity. When token projects purposely withhold liquidity from the normal liquidity pool, they are artificially introducing volatility — a dangerous gambit. And a serious red flag that the project owners are either naive enough, malicious enough, or stupid enough to willingly engage in such brazen liquidity and price manipulation.

🚩Spending from liquidity. When a project extracts and spends from its liquidity pool, run. Liquidity belongs to the holders — full stop. And be advised, it’s possible that the project owners are committing securities fraud by spending from the liquidity pool.

Repeat with me: Liquidity belongs to the holders.

🚩Using liquidity for buybacks. When liquidity is extracted, it’s possible to use part of the pairing for token buyback. At first glance this sounds kind of cool — oh sweet, price pump! Right?

Wrong. Here’s why this is very bad:

• High liquidity supports a solid price floor. When you extract liquidity, you’re increasing volatility and crippling latent price action.
• When tokens are then purchased, this actually decreases token liquidity even more, further increasing volatility. Double-whammy.
• If done manually, this is essentially price manipulation. Insiders can be aware of when a buyback will happen and buy in advance of the public that does not have this knowledge, then sell on the project when buybacks are completed.
• What happens with both the extracted and purchased tokens? Since those funds were originally sourced from the liquidity, they should remain in liquidity. Do not allow for any project to misallocate liquidity. Say it again: Liquidity belongs to the holders.

Red Flags With The Contract

Interacting with smart contracts can be risky. You don’t have to be a Solidity developer and learn how to read contracts, but you can look for some red flags:

🚩No audit. Every contract should be audited, except for maybe it being directly forked from an audited contract (allowing for minimal alteration, like changing the name, ticker, tax rates, etc.).

Unless you know how to read Solidity code, a token without a reputable audit is a risk that should be avoided at all cost. (Which leads us to the next red flag…)

🚩Garbage audit. Not all audits are created equal. Tokens can earn a lot of trust when they utilize audits from a decent auditing firm. The best auditors out there actually deploy code on the testnet and perform a battery of penetration tests, comb through the code line-by-line, and utilize many eyes via multiple auditors. Many scam projects utilize cheap audits (that basically amount to a script that is ran against the code) to gain the trust of unsuspecting investors.

P.S.: An audit on the smart contract does not mean that the project is guaranteed to be safe. It just means that, if properly audited by a reputable source, the code is unlikely to have obvious exploits or bugs. However, keep in mind that there is always a risk, even if low, that well-audited smart contracts might carry with them esoteric bugs or exploits.

🚩High taxes. Some tokens have egregiously high buy/sell/xfer taxes (or the owners can set the taxes to be extraordinarily high — effectively turning it into a honeypot).

Higher taxes does not necessarily mean greater benefits to tax beneficiaries. The higher the taxes, the greater the disincentive to trade, which may actually reduce overall tax revenue in the long-run.

Some projects choose to allocate a percentage of taxes towards marketing, development, or some other fund that is in some way supposed to help the project’s tokenholders. This is fine — as long as the project developers are open and transparent about the use of these tokens and follow through on their promises.

Even still, some shady developers may see tokenomics allocation as an opportunity to funnel tokens into their pockets, which they can then use to sell down on the project and enrich themselves — so it’s best to have any automatically-accruing wallets under lock-and-key behind a multi-signature safe.

🚩Contract behind a proxy. Smart contract code is intended to be immutable and forever unchanging. Proxy contracts, however, sacrifice this immutability by granting the proxy owner the ability to swap out the underlying contract code for another contract. This can be very useful for upgradability — but this opens up a whole new can of worms.

There are several problems with this, not all listed here:

• When a contract is behind a proxy, it’s a huge red flag that the project is not embracing the tenets of decentralization and is, instead, going down the dark path of centralized control. In the United States, the Security and Exchange Commission (SEC) frowns very heavily on centralized governance over digital assets used as a form of investment, so buyer beware.
• Audits become essentially worthless; the proxy owner can just completely swap out the contract that is operating behind the proxy at any time for any reason with absolutely zero notice. Some big projects have rugged this way, so be wary.
• Proxy contracts should be owned by a multi-signature safe, otherwise a single compromised or malicious actor can wreck the entire project start to finish.

🚩Cheap gimmicks. Avoid tokens that are essentially Rube Goldberg machines of unnecessary complexity or technobabble masquerading as innovation.

For example, distributing other tokens as a reward to holders is technically not reflection, but instead can be a gas-heavy process that doesn’t scale all that well. Best just to keep things simple. It reduces code complexity and puts more emphasis on the token having, you know, actual utility over cheap tricks.

A Rube Goldberg token of unnecessary complexity, looking ass and wasting gas. Credit: Midjourney AI

🚩Too centralized. Tokens that have a lot of owner-only functions can be pretty dangerous. Depending on the contract, project owners may be able to halt trading, impose arbitrary transaction limits, hike taxes, or even blacklist your wallet.

Not all owner functions are bad, but they can be abused by clever developers with malicious intent. It is best to have contract ownership be either renounced (i.e., assigned to the burn wallet), behind a multi-signature safe, or controlled by a Decentralized Autonomous Organization (DAO).

Red Flags With The Project

Last but not least, the project itself is sometimes the most telling:

🚩No Founder KYC. Project founders don’t necessarily need to be de-anonymized (aka “doxxed”) — I know the frustrations of being doxxed, personally — but it certainly doesn’t hurt in instilling trust.

Ideally, at the very least, project founders can go through trusted third-party entities to perform Know-Your-Customer (KYC) verification — and they can do so without opening themselves up to harassment in real life.

KYC helps provide even more confidence that they are real people who can be held accountable in case the project ends up running away with people’s money.

🚩Botted socials. Active Discord, Twitter, Telegram — or does it appear to be a desolate, botted wasteland?

🚩Garbage website. If a project has a nice website, then at the very least they’re putting in some thought and energy into the project. A decent website should be a bare-minimum for anyone to even consider investing their hard-earned fiat dollerydoos.

Also good to check for IP infringement. Some scam projects, in a rush to get something out there fast and cheap, rip images off of existing websites. A reverse-image search on project assets may uncover lifted assets.

🚩Unrealistic promises. Sure — this token is going to build an NFT marketplace, launch a centralized exchange, build an app, buy you a pizza, and create world peace via blockchain technology. Actually, no, it probably won’t.

Why did they just create the product first then launch the token? Oh yeah, because they’re shilling hopes and dreams; ultimately, building a real suite of products is very difficult to achieve and the façade will likely crumble as the team ultimately fails to deliver. Hey, don’t say I didn’t warn you.

An “exciting new token with innovative patented blockchain technology,” day 242. Credit: Midjourney AI

🚩No utility. What’s the purpose of the token? What problem does it solve? Why does it need to exist? Should it exist? Does this really need to be something on the blockchain? Is this something that is actually used for a consumable purpose, you know, to buy a product or a service of some sort?

A token without utility is just a glorified Ponzi Scheme — where at its roots, the goal is to make money off the greater fool that comes after.

— Your Conscience

🚩Very few holders. Tokens with a very low holder count is indicative that very few people found the project attractive or interesting enough to purchase, which should probably make you second-guess your involvement in the project as well.

🚩Airdropped tokens. Unless a token is doing a relaunch, there’s no reason for people to be airdropping tokens. It’s a tactic that some scammers will use to try to artificially inflate token holder count to dupe unsuspecting victims.

🚩Top-heavy holders. Are there any wallets with more than 2–3% of circulating supply? Who are they? Do they look like normal wallets, or super-clean wallets prepared to be anonymous top holders? Are they from a presale? Private sale? Allocation? Day-1 buys?

The top wallet holders on any given project can give you a lot of insight into whether or not the project insiders tried to wrestle an advantage over the general public.

Well, there you have it. Try not to lose your shirt.

Follow me on Twitter ❤️

David Wyly is the CEO of Decentra, Inc (which includes brands such as the All For One crypto mobile app), Director of Engineering for Dappd, LLC, a Blockchain Consultant and Principal Software Engineer, and serves on the Blockchain and Digital Innovation Task Force for the State of Utah.