The methodology behind CORE3’s crypto project risk assessment — security, financial, operational, reputational, compliance, and dependency risks.
The methodology behind CORE3’s crypto project risk assessment consists of the following risk areas: security, financial and operational sustainability, dependency, reputational, compliance and regulatory risks.
Security risks — smart contract audits, bug bounties, and monitoring
The Security Risks category evaluates a project’s resilience against direct technical exploitation and adversarial attacks, which remain one of the most dominant loss vectors in the crypto market. Smart contract vulnerabilities, protocol misconfigurations, and insufficient monitoring continue to be responsible for a significant share of catastrophic losses, often materializing suddenly and without warning.The combined assessment of token and product audits, active bug bounty programs, and continuous third-party monitoring allows CORE3 to distinguish between projects that treat security as a one-time compliance exercise and those that approach it as an ongoing operational discipline. Audits reduce known and classifiable risks, bug bounties incentivize adversarial testing under real-world conditions, and monitoring systems provide early detection of anomalous behavior post-deployment.
Together, these metrics mitigate the structural challenge of immutable code and composability risk by lowering both the probability and severity of security incidents. Within the Project PoL framework, this category primarily addresses tail-risk events that can lead to immediate and irreversible loss. This makes it a core component of any digital asset security assessment.
Financial risks — token economics, treasury, and liquidity analysis
The Financial Risks category assesses the economic sustainability, capital structure, and incentive alignment of a crypto project. In an environment where many failures stem not from exploits but from flawed token economics, liquidity shocks, or treasury mismanagement, financial risk represents a critical but often under-disclosed threat vector.By evaluating revenue sources, token inflation dynamics, TVL quality, active address activity, and treasury composition, CORE3 measures whether a project’s economic model is durable beyond short-term market cycles. Circulating supply analysis, locker structures, and unlock schedules further reveal dilution risks, liquidity cliffs, and insider exit dynamics that can materially impact users without violating any technical constraints.
This category directly mitigates the market-wide challenge of opacity in token economics and treasury. Within Project PoL, Financial Risks influence both gradual value erosion and event-driven liquidity failures, helping users distinguish between growth backed by fundamentals and growth driven by unsustainable financial engineering. This level of financial risk analysis is a key differentiator in CORE3’s approach to crypto due diligence.
Operational risks — governance, development activity, and market integrity
The Operational Risks category evaluates whether a project can reliably function, evolve, and govern itself over time. Many crypto failures occur not because of malicious intent or flawed code, but due to weak operational capacity, poor governance practices, or misaligned internal incentives.Metrics such as wash trading detection, GitHub activity, founder track record, and documentation quality provide insight into whether a project is actively developed, transparently managed, and operationally mature. Certifications and liquidity risk analysis further indicate whether internal processes and market operations meet baseline professional standards.
This category addresses the systemic problem of surface-level legitimacy masking fragile internal operations. Within Project PoL, Operational Risks affect the continuity of the protocol, the reliability of its markets, and its ability to respond effectively to stress, upgrades, or market disruptions. These factors are central to any meaningful crypto risk management framework.
Reputational risks — incident history, social manipulation, and stakeholder quality
The Reputational Risks category captures behavioral, historical, and relational risk signals that are often ignored by purely technical or financial models but have repeatedly preceded major failures in the crypto ecosystem. Market trust in crypto is highly reflexive, and reputational breakdowns can rapidly translate into liquidity loss, user exits, or regulatory attention.By analyzing responses to past incidents, audit firm reputation, social manipulation, and the presence of insurance coverage, CORE3 evaluates how a project behaves under pressure and whether it has credible external accountability. Project and protocol longevity, along with market maker and investor red flag identification, help detect patterns of extractive behavior, short-termism, or coordinated exit risk.
This category mitigates the challenge of asymmetric information around project intent and stakeholder quality. In Project PoL, Reputational Risks often act as early-warning indicators, signaling elevated loss probability before technical or financial stress becomes visible.
Compliance & regulatory risks — crypto compliance and jurisdictional exposure
The Compliance & Regulatory Risks category assesses a project’s exposure to legal, regulatory, and enforcement-related loss vectors. As regulatory scrutiny increases globally, non-compliance has become a leading cause of operational shutdowns, asset freezes, and forced delistings, even for technically sound projects.Metrics such as disclaimers, public registration, team transparency, regulatory surface controls, jurisdictional exposure, and formal compliance alignment help determine whether a project understands and actively manages its regulatory footprint. This category does not assess legal certainty, but rather the degree of regulatory awareness, preparedness, and cooperation.
Within the Project PoL framework, Compliance & Regulatory Risks mitigate the growing systemic risk of sudden market access loss caused by enforcement actions. This category primarily influences non-technical loss events that originate outside the protocol but have direct financial impact on users. As regulatory frameworks mature globally, this dimension of digital asset risk management becomes increasingly decisive.
Dependency risks — Bridges, oracles, infrastructure, and centralization vectors
The Dependency Risks category evaluates external systems, services, and counterparties upon which a crypto project relies but does not fully control. As composability and modular infrastructure become standard, failures increasingly propagate across protocols through shared dependencies rather than isolated weaknesses.By assessing bridges and cross-chain mechanisms, custody and admin wallet controls, L2, DA, and sequencer dependencies, oracles and market data sources, and infrastructure providers, CORE3 maps the project’s external attack and failure surface. Additional metrics such as web and DNS control, third-party SaaS and CI/CD pipelines, extended dependency scoring, and owner private key rotation practices further expose centralized choke points and governance risks.
This category addresses the core challenge of hidden centralization and transitive trust in decentralized systems. Within Project PoL, Dependency Risks account for systemic and cascading failure scenarios, which have historically produced some of the largest losses in the crypto market.
The methodology consists of 98 metrics and sub-metrics that together form the final score.
Different metrics are updated at different intervals, ranging from weekly to quarterly (or upon updates of the scored protocol, like new security audit), depending on their importance in keeping the score as fresh as possible and on the typical timeframe in which meaningful changes are expected to occur.
Project PoL Scoring Logic
Learn how these risk domains combine into a single PoL score
