How to Evaluate a Web3 Protocol: An On-Chain Due Diligence Framework

Why Most Crypto Research Goes Wrong

The most common mistake people make when evaluating a Web3 protocol is starting with price. Price is a downstream outcome. It reflects current market sentiment, which is frequently wrong, especially in crypto.

What you actually want to understand is whether a protocol is doing anything real. Is it being actively developed? Are users paying to use it? Is the token structure designed to transfer value to founders at the expense of everyone else? Are the smart contracts reviewed by independent auditors?

These are the questions a researcher, analyst, or serious learner should ask. This framework provides a structured way to answer them using publicly available data.

The 8-Pillar Due Diligence Framework

This framework organizes your research into eight pillars. Each addresses a different dimension of protocol health.

Pillar 1: Developer Activity

A protocol without active development is a protocol that is stagnating. GitHub is your first stop.

Look at:

• Commit frequency: Is the team consistently shipping code, or did activity peak before a fundraise and then drop?

• Contributor count: A protocol built by one or two people is more fragile than one with ten or twenty contributors.

• Open issues and pull requests: Are bug reports being addressed, or are they piling up?

• Repository age: A two-month-old repository with 50,000 stars is unusual and warrants skepticism.

What good looks like: Consistent commit history over many months, multiple active contributors, resolved issues, and open-source code.

What to be concerned about: A burst of activity right before a token launch followed by silence, or a single anonymous contributor controlling the codebase.

Pillar 2: On-Chain Revenue and Usage

Revenue in the context of a Web3 protocol refers to the fees the protocol collects from users. This is distinct from token price. A protocol can have a high token price and zero revenue.

Token Terminal is the standard tool for this. It reports protocol revenue (fees going to the protocol treasury or token holders) versus supply-side revenue (fees going to liquidity providers or validators).

Useful metrics to track:

• Daily active users: Is usage growing, flat, or declining?

• Transaction volume: Does it reflect real economic activity?

• Price-to-fees ratio: Analogous to a price-to-earnings ratio in traditional finance. A very high ratio may indicate the token is priced beyond what fundamentals support.

What good looks like: Growing user count, genuine transaction volume not tied to token incentives, and protocol revenue that covers operational costs.

What to be concerned about: All usage metrics spike during token airdrop periods and collapse after. This pattern suggests the protocol lacks organic demand.

Pillar 3: Token Emission Schedule

Token emission refers to how new tokens enter circulation over time. This is one of the most underread parts of any protocol, yet it directly affects the economic dynamics for everyone involved.

The core questions:

• What percentage of the total supply is allocated to the team, investors, and advisors?

• When do those allocations unlock?

• Is there a vesting cliff followed by a large unlock?

• How much of the total supply is already circulating?

A common pattern in lower-quality protocols is a large initial circulating supply to create the appearance of liquidity, followed by significant team and investor unlocks within 12 to 18 months of launch. This dilutes existing holders.

Dune Analytics and the project's whitepaper or tokenomics documentation are the primary sources here. Some projects also publish unlock schedules on Token Terminal or Messari.

Pillar 4: Audit History

Smart contracts are code. Code has bugs. In Web3, bugs in smart contracts can mean users losing funds, sometimes permanently.

A credible audit involves an independent security firm reviewing the code, documenting vulnerabilities, and publishing a report. The project should then address the findings before deploying to mainnet.

Reputable auditing firms include Trail of Bits, Certik, OpenZeppelin, Peckshield, and Halborn. An audit from an unknown firm with no track record provides limited assurance.

Steps to check:

1. Find the audit report: It should be publicly linked in the project documentation. If it is not published, that is a concern.

2. Check findings: What severity of vulnerabilities were found? Were they all resolved?

3. Check rekt.news: This site maintains an archive of notable protocol exploits. If your protocol appears there, understand what happened and whether the vulnerability was patched.

4. Check the audit date: An audit from 2021 on a protocol that has been significantly updated since is not current assurance.

Key point: An audit reduces risk but does not eliminate it. The 2025 Web3 Security Report widely cited in the industry noted that the majority of losses in that year came from access control issues rather than code logic bugs, many of which audits do not catch.

Pillar 5: Governance Structure

Governance determines who can change the protocol. This matters because a poorly designed governance structure can allow a small group to upgrade contracts, drain the treasury, or change the fee model without adequate notice or community input.

Key questions:

• Is there a time lock on contract upgrades? A time lock forces a delay between a governance vote passing and the change taking effect, giving users time to exit if they disagree.

• What is the token concentration among governance voters? If 10 wallets control 60 percent of governance power, meaningful decentralization does not exist.

• Is there a history of governance participation? Low voter turnout can allow a small group to pass changes that benefit themselves.

Snapshot and Tally are standard tools for reviewing governance proposals and historical votes. Etherscan allows you to check contract upgrade permissions directly.

Pillar 6: TVL Quality

Total Value Locked (TVL) measures the dollar value of assets deposited in a protocol. It is widely quoted, and widely misunderstood.

TVL can be inflated by token emission incentives. When a protocol pays users in its own token to deposit capital, TVL rises. When the incentive program ends, the capital often leaves. This is called mercenary capital.

How to distinguish real TVL from incentive-driven TVL: 

• Compare TVL before, during, and after any major token incentive program.

• Look at TVL relative to protocol revenue. A protocol with $500 million TVL and near-zero revenue is not generating sustainable economic activity.

• Check for TVL concentration: if 80 percent of deposits come from five wallets, the number is fragile.

DeFiLlama is the standard tool for TVL data. It breaks down TVL by chain, allows historical comparisons, and shows protocol revenue alongside TVL.

Pillar 7: Team and Transparency

Some legitimate protocols are built by pseudonymous teams. This is not inherently disqualifying. However, it changes the accountability structure.

Useful checks:

• Are the core contributors named and verifiable via LinkedIn or prior project history?

• Have team wallets been disclosed? Do they match the token allocation in the whitepaper?

• Has the team been involved in past projects that failed or ended in disputes?

• Is the company behind the protocol incorporated, and in which jurisdiction?

For protocols with significant institutional backing, the investors and their public association with the project provide an additional layer of reputational accountability.

Pillar 8: Competitive Positioning

Before concluding any research, ask the most basic strategic question: why does this protocol exist and what happens if a larger, better-capitalized competitor enters the same space?

Consider:

• What is the moat? Network effects, liquidity depth, and switching costs are legitimate moats. Marketing and tokenomics are not.

• Is the protocol first in its category, or a copy of something that already exists?

• What happens to the token price if the underlying use case is commoditized?

Tools Reference

Common Red Flags Across All Eight Pillars

Putting It Together: A Research Workflow

A practical research session on an unfamiliar protocol might follow this order:

5. Start with DeFiLlama to get a snapshot of TVL, revenue, and chain distribution.

6. Check Token Terminal for protocol revenue trend over 90 days and 1 year.

7. Go to the project's GitHub. Look at commit activity, contributor count, and issue history.

8. Find the tokenomics documentation. Build a rough unlock calendar.

9. Search for the audit report. Verify it is current and findings have been addressed.

10. Go to Snapshot or Tally. Look at governance activity and voter concentration.

11. Search rekt.news and crypto-focused security firms for any incident history.

12. Read the whitepaper. Does it describe a real problem and a credible solution?

You do not need to complete all eight pillars to form an initial view. In practice, red flags in one or two areas are enough to warrant significant additional scrutiny.

What This Framework Does Not Tell You

This framework is designed to help you assess protocol fundamentals. It does not tell you:

• Whether a token will increase in value

• The right time to buy or sell

• That a protocol is safe from all risks

• That a passing score means no future problems

Markets price in future expectations. A strong protocol today can be disrupted tomorrow. Use this framework to reduce noise and think more clearly, not to generate certainty where none exists.

Frequently Asked Questions

What is the first thing I should check when researching a protocol?

Start with on-chain usage data via DeFiLlama or Token Terminal. If a protocol has no meaningful revenue or activity, the remaining analysis matters less.

Is a high TVL a good sign?

Not on its own. TVL can be inflated by token incentives. A protocol with high TVL and low revenue may be subsidizing users rather than creating real value. Compare TVL to revenue and look for TVL stability over time.

What does it mean if a protocol has not been audited?

An unaudited protocol carries higher smart contract risk. Users who deposit capital into unaudited contracts are taking on unknown code risk. The risk is not guaranteed to materialize, but it is real and should be factored into any decision.

How do I read a token emission schedule?

Look for the total supply, the circulating supply at launch, and the vesting schedule for team and investor allocations. A large cliff unlock, where a significant percentage of supply becomes available at a single point in time, can create downward price pressure and is worth monitoring.

Are anonymous teams always a red flag?

Not automatically. Some of the most credible protocols in crypto were built by pseudonymous contributors. However, an anonymous team without a traceable track record, unverified smart contracts, and no institutional backers collectively increase risk. Evaluate the full picture.

What is the difference between protocol revenue and token price appreciation?

Protocol revenue is a measure of product usage. It reflects fees users pay to access the protocol's services. Token price is a market signal that reflects sentiment, speculation, and fundamentals. Revenue is more reliable as a measure of whether a protocol is actually working.

Disclaimer: This content is for educational and informational purposes only and is not financial advice. Nothing here is a recommendation to buy or sell any asset or use any platform. Do your own research and manage your risk.

Read More

• Best Crypto Cards in 2025: Top 10 Reviewed, Compared, and Explained

• How to Revoke Token Approvals: A Beginner-Friendly Security Guide Using Revoke.cash

• How to Verify a Smart Contract on Etherscan: A Beginner's Walkthrough