Sign InStart trial
  1. Home
  2. Blog

Crypto due diligence checklist: how investors evaluate blockchain projects

2026-05-25

Table of contents

Key takeaways from the article


  • Legal and regulatory transparency. Before investing, investors review the project’s jurisdiction, licenses, AML/CFT procedures, and sanctions compliance. Missing licenses or operations in high-risk jurisdictions may point to regulatory issues.

  • Clear tokenomics and supply schedule. Investors analyze the maximum token supply, allocation among founders, investors, and treasury, vesting structure, and burn mechanisms. Incorrect or hidden issuance rules may cause inflation and loss of value.

  • Smart contract and bridge reliability. Contracts are reviewed for vulnerabilities such as reentrancy, oracle manipulation, and overflow risks, while bridges are checked for single-validator exposure.

  • Wallet security and key management. Private key storage defines the risk of losing funds. Multisig and MPC structures distribute control among several participants and reduce the risk of a single point of failure.

  • Team and governance quality. Founder background checks, independent oversight, and transparent decision-making help prevent conflicts of interest and misuse of investor or user assets.

  • Token liquidity and exchange exposure. Investors review exchange listings, trading volume, liquidity depth, withdrawal conditions, and dependency on specific centralized or decentralized venues.

  • Financial and treasury transparency. Investors request financial reports, treasury wallet addresses, proof-of-reserves data, audit reports, and multisig controls before making a decision.


Investing in crypto startups, entering M&A deals, or building partnerships without proper review can lead to major losses. Traditional financial analysis rarely covers decentralized-network risks: smart contract vulnerabilities, unclear tokenomics, key storage issues, and sanctions compliance gaps are often hidden behind polished pitch decks. Crypto due diligence helps uncover these risks so investors, funds, and companies can make informed decisions.


What is crypto due diligence?


Crypto-1.png

Crypto due diligence is a structured review of a blockchain project that helps identify legal, technical, and operational risks that are not typically visible in standard financial reporting. Unlike traditional due diligence, it covers crypto-specific areas, including smart contracts, tokenomics, wallet security, governance, exchange exposure, and regulatory compliance. This is important because incorrect token classification or weak controls can lead to penalties, trading restrictions, blocked partnerships, or loss of investor funds.


Core review areas include:

  • Smart contracts and protocols: code quality, vulnerabilities, admin rights, timelocks, multisig approvals, and upgrade procedures.

  • Tokenomics: supply, allocation, vesting, inflation, unlock schedules, and planned emissions.

  • Wallets and custody: self-custody, exchange custody, multisig wallets, MPC custody, and private key security.

  • Compliance: licenses, jurisdictions, AML/KYC procedures, sanctions screening, and regulatory exposure.

  • Governance: board structure, founder control, DAO voting, token-holder rights, and decision-making transparency.

  • Exchange exposure: listings, trading volume, liquidity quality, withdrawal terms, and dependence on specific venues.

Together, these areas form a practical web3 due diligence checklist for evaluating blockchain projects before investment, M&A, token sales, or strategic partnerships.


Crypto due diligence checklist: core areas to review


Crypto-2.png

This blockchain due diligence checklist covers the core areas investors should review before making an investment decision.


Legal and regulatory compliance

Investors review jurisdiction, licenses, token classification, AML/KYC policies, sanctions exposure, and links to high-risk jurisdictions. Weak compliance can lead to banking issues, lawsuits, delistings, investigations, lower valuation, or a failed deal.


Tokenomics and supply structure


Crypto-3.png

Investors check supply, circulation, allocation, vesting, emissions, staking rewards, and burn mechanisms. Unlimited issuance, hidden premine, unclear allocation, or fast insider unlocks can create inflation and selling pressure.


Smart contract audit review

Investors review audit reports, scope, unresolved issues, remediation, bug bounties, upgrade mechanisms, access control, admin rights, and timelocks. Weak or outdated audits may leave exploitable vulnerabilities.


Wallet security and custody

Investors assess how treasury funds, investor tokens, and operational assets are stored, including custody model, multisig or MPC setup, signer policies, backups, and recovery plans. Poor key management or informal approvals can cause irreversible losses.


Team and governance structure

Investors check founder identities, backgrounds, prior projects, legal history, conflicts of interest, governance model, DAO rules, admin key control, and decision-making transparency. Anonymous teams or centralized control increase fraud and mismanagement risks.


Exchange listings and liquidity

Investors review exchange listings, trading volume, liquidity depth, market-maker terms, DEX pools, withdrawal rules, token concentration, and venue exposure. Low liquidity or artificial volume can distort demand and limit safe exits.


Financial transparency and treasury

Investors review financial statements, budgets, runways, revenue, liabilities, investor agreements, cap tables, token allocations, treasury wallets, proof of reserves, and treasury controls. Missing records or poorly controlled wallets may signal weak internal controls.


Cybersecurity risks

Investors assess infrastructure security, RPC setup, cloud access, internal policies, penetration testing, incident response, third-party dependencies, bridge architecture, Oracle design, and employee access. The team must be able to prevent, detect, and respond to attacks before funds are lost.


Technical risks in crypto projects


Crypto-4.png

Smart contract vulnerabilities

Smart contracts may contain vulnerabilities such as reentrancy, weak access control, oracle manipulation, arithmetic errors, or unsafe upgrades. During due diligence, investors review audit history, unresolved issues, test coverage, bug bounty scope, upgrade process, and whether deployed contracts match the audited code. An audit helps reduce risk but does not guarantee full security.


Bridge risks

Cross-chain bridges pose a high risk because they transfer value across networks and rely on message verification. Investors should review the validator structure, oracle design, signing logic, emergency pause controls, and who can approve transfers. Weak bridge security can allow forged messages, unauthorized asset releases, and losses across connected DeFi protocols.


Private key management

Private keys control access to crypto assets. Investors should review multisig or MPC custody, signer roles, hardware wallet use, backup procedures, access logs, and approval rules for large transfers. Poor key management, compromised devices, or informal approval processes can lead to irreversible asset loss.


Dependency on third-party protocols

Many crypto projects depend on external infrastructure such as oracles, bridges, staking protocols, lending markets, RPC providers, wallets, and custodians. Investors should map these dependencies and check fallback plans, since failures or manipulation by third-party services can create losses even if the project’s own systems are secure.


Centralized infrastructure risks

Some blockchain projects appear decentralized but still rely on centralized systems, such as a single admin wallet, a cloud provider, an RPC endpoint, a sequencer, an insider-controlled multisig, or an off-chain server. Investors should check whether the project can keep operating if one provider fails, whether admin powers are limited by timelocks, and whether emergency controls are transparent.


Why audits do not guarantee safety

External audits reduce risk but do not guarantee safety. They may cover only one code version, exclude integrations, or become outdated after upgrades. Investors should check whether the project also uses internal testing, formal verification where possible, bug bounties, monitoring tools, incident response plans, and clear disclosure of security issues.


How investors conduct crypto due diligence


Crypto-5.png

For investor due diligence crypto reviews, venture capital funds and institutional investors usually follow a structured process that combines legal, technical, financial, and operational checks. Crypto due diligence is often divided into several parallel areas: smart contract and code review, tokenomics, regulatory exposure, team verification, treasury management, and operational controls.


Documents investors usually request

Before making an investment decision, investors typically ask the project to provide a full document package. This may include corporate documents, shareholder agreements, licensing information, legal opinions, financial statements, smart contract audit reports, token allocation tables, vesting schedules, treasury records, and technical documentation.

For crypto startup due diligence, the documentation package often includes:

  • company registration documents and ownership structure;

  • shareholder agreements and cap table;

  • whitepaper and technical documentation;

  • token allocation table and vesting schedule;

  • legal opinion on token classification;

  • AML/KYC and sanctions compliance policies;

  • smart contract audit reports;

  • treasury wallet addresses and custody procedures;

  • financial statements, budget, and runway model;

  • exchange listing plans and liquidity strategy;

  • incident response plan and cybersecurity policies.

These documents help investors understand whether the project is legally structured, technically secure, financially transparent, and ready for institutional capital.


How VC funds review crypto startups

VC funds start with the business case: market size, product need, traction, revenue model, and competition. Then they assess token utility, tokenomics, incentive dependence, codebase, audit history, legal status, compliance risks, runway, treasury controls, and related-party transactions.


How institutional investors review crypto projects

Institutional investors apply stricter checks, often requiring proof of reserves, third-party custody, SOC reports, audited financials, clear governance, and documented risk controls. They also review counterparty exposure, liquidity risks, compliance readiness, and resilience to hacks or regulatory pressure.


Role of a VDR in crypto deals


Crypto-6.png

A virtual data room (VDR) gives investors controlled access to legal, financial, technical, compliance, tokenomics, governance, and treasury documents. Access controls and activity tracking make the process faster and easier to audit.


Ongoing monitoring after investment

After closing, investors monitor treasury wallets, token unlocks, governance votes, exchange exposure, audits, new contracts, and regulatory changes.


Real-world cases that show why crypto due diligence matters


The collapse of FTX remains one of the clearest examples of why governance, treasury controls, and related-party exposure must be reviewed before any crypto investment. Reuters reported that Sam Bankman-Fried was sentenced to 25 years in prison for stealing $8 billion from customers, while FTX’s new leadership described severe failures in corporate controls and recordkeeping. For investors, the lesson is clear: exchange exposure, asset segregation, independent oversight, and treasury transparency should never be treated as secondary checks.

The Ronin Network hack showed how bridge security and private key management can create systemic losses. In 2022, hackers stole about $615 million from Ronin, the blockchain bridge used by Axie Infinity. According to reports, the attacker used stolen private keys to authorize withdrawals, making this case a direct warning for projects that rely on bridges, validators, and multisig structures without enough independent controls.


Common red flags in crypto due diligence

Before investing, investors look for red flags that may reveal weak controls, hidden risks, or an unstable model. One issue may not stop a deal, but several warning signs can reduce valuation or end due diligence.

Common red flags include:

  • Anonymous founders with unverifiable backgrounds or no previous project history.

  • Unrealistic token economics, including unlimited supply, unclear allocation, missing vesting, or guaranteed yields.

  • Weak or outdated audits that do not cover the deployed smart contract version.

  • Hidden token unlocks that may create sudden selling pressure.

  • Weak governance, centralized admin powers, unclear DAO rules, or one founder controlling treasury wallets.

  • Poor liquidity transparency, low volume, dependence on one exchange, artificial trading activity, or unclear market-maker terms.

  • Treasury on centralized exchanges, exposing funds to hacks, frozen withdrawals, or counterparty failure.

  • Inconsistent documentation across the whitepaper, pitch deck, legal opinion, token table, and smart contract code.

  • No incident response plan for hacks, bridge failures, oracle issues, or key compromise.

  • Overdependence on hype without audited code, real usage, a clear revenue model, or a transparent treasury.


Conclusion

Crypto due diligence is a combination of legal, technical, and operational assessments. Most risks in crypto projects are connected to unclear infrastructure, weak governance, non-transparent tokenomics, poor key management, and insufficient compliance controls.

A strong crypto due diligence checklist helps investors evaluate whether a project is legally sound, technically secure, financially transparent, and ready for institutional capital. For crypto startup due diligence, the goal is not only to find upside potential but also to identify hidden risks before they affect valuation, liquidity, or investor protection.


FAQ


What is included in crypto due diligence?

Crypto due diligence includes a review of the project’s legal structure, licenses, tokenomics, smart contracts, wallet security, team background, governance, treasury, financial records, compliance procedures, exchange exposure, and cybersecurity risks.


Why are smart contract audits important?

Smart contract audits help identify vulnerabilities before attackers exploit them. They are important because smart contracts often control user funds directly, and one coding or logic error can lead to irreversible losses.


How do investors verify tokenomics?

Investors review the total supply, circulating supply, allocation table, vesting schedule, unlock dates, emission model, staking rewards, burn mechanisms, and liquidity plan.


What are the biggest risks in crypto projects?

The biggest risks include vulnerable smart contracts, weak private key management, unclear tokenomics, regulatory exposure, low liquidity, centralized governance, poor treasury controls, and dependence on high-risk third-party protocols.


How long does crypto due diligence take?

The timeline depends on the project’s size, stage, and complexity. A simple early-stage review may take a few weeks, while a mature protocol, M&A deal, or institutional investment round may require several months.


Related posts

blog image

Due Diligence Report: A Complete Guide

Before any merger, acquisition, or investment, companies must confirm that their decisions are based on verified facts and information. A due diligenc...

Read more ai m&a

AI in M&A: A New Era of Efficiency and Accuracy

Artificial intelligence is transforming mergers and acquisitions. What was once a slow and fragmented process is becoming more precise, structured, an...

Read more blog image

How to Raise Funds for a Startup

Securing capital is one of the most critical determinants of a startup’s viability and growth trajectory. Whether you're developing a novel technology...

Read more
View All