How to tell if a Web3 project is legit

A practical checklist for judging a crypto project before you connect a wallet or buy a token.

Start with the entity, not the token

Most people start with the price chart. Wrong order. Start with who is behind the thing. Is there a registered company, a named team, a real jurisdiction? A project that hides all of that is telling you something. Anonymity is not automatically a red flag in crypto, plenty of legitimate protocols ship pseudonymous. But anonymity plus custody of your funds plus no audit is a different animal.

Check the security trail

Look for audits, and read who did them and when. An audit from a known firm dated last month means more than a logo from three years and four rewrites ago. Check whether the contracts are upgradeable, who controls the upgrade key, and whether funds sit behind a multisig or a single wallet. A single hot wallet controlling the treasury is the kind of detail that ends badly.

Also look for a bug bounty. A live bounty means the team is paying people to find holes before attackers do. It is a cheap signal that they take security seriously.

Read the money

Find the token distribution. What share did insiders keep, what is the vesting schedule, and when do large unlocks hit? A project where the team and early investors hold most of the supply with a short cliff is built for them, not you. Treasury transparency matters too. Can you see the wallets? Is there runway?

Weigh the track record

How long has it operated, has it been exploited, and how did it respond when something went wrong? An honest post-mortem after an incident is worth more than a clean record with no disclosure, because the clean record might just mean nobody is looking. Reputation is built on how a team behaves on its worst day.

FAQ