Start with market structure

Price movement is the loudest signal, but liquidity is often the more useful one. A token with thin liquidity can rise quickly and fall just as quickly. Readers should compare daily volume with available liquidity and ask whether a normal-sized exit would move the market.

Liquidity should be checked across the venues where the token actually trades. DEX liquidity, centralized exchange books, bridges, and wrapped versions can all tell different stories. If volume depends on one venue or one incentive program, the risk score should reflect that fragility.

Holder concentration shows who can move the market

Top-holder lists are not perfect because exchange wallets and contracts can distort the picture. Still, concentration matters. A small number of wallets can create sell pressure, governance pressure, or perception risk if they control a large share of circulating supply.

The scorecard should separate known exchange wallets, liquidity pools, vesting contracts, team wallets, treasury wallets, and unknown whales where possible. Unknown concentration is not automatically bad, but it deserves a higher uncertainty score.

Unlocks are future supply events

A low circulating market cap can look attractive until the fully diluted valuation and unlock calendar are considered. Team, investor, advisor, ecosystem, and incentive allocations can all become future supply. That supply may be manageable if demand grows, but it should not be ignored.

Readers should record cliff dates, monthly unlock rates, emission schedules, and whether unlocks align with product milestones. A project with heavy unlocks needs stronger evidence of usage and revenue than one with slower release terms.

Code control is financial control

Smart contract permissions can change fees, pause transfers, mint supply, blacklist wallets, upgrade logic, or redirect treasury assets depending on the design. These powers may be necessary early, but they change the risk profile.

A stronger scorecard looks for audits, timelocks, multisig signers, public governance, verified source code, and clear admin-key documentation. A vague claim that a contract is safe is weaker than a precise explanation of who can change what.