How to Research a Crypto Project (DYOR) in 10 Minutes
How to DYOR fast. A security auditor's ten-minute method to research any crypto project, the red flags each lens surfaces, and the disqualifiers that end your look early.
TL;DR
- DYOR means "do your own research", and done right it is a repeatable ten-minute background check, not a full-time job.
- You run a few quick lenses in order: the disqualifiers first (they can end your look in ten seconds), then the team, then the tokenomics, then whether the code is actually secure.
- Most bad projects fail one cheap test fast. Learn to find that test first and you save yourself the other nine minutes.
- The three instant killers: an anonymous team that controls the funds, "guaranteed" or fixed returns, and a project that cannot explain who pays you.
- This is a method, not financial advice. The goal is to filter out obvious traps, not to tell you what to buy.
What does DYOR mean?
DYOR ("do your own research") is the habit of checking a crypto project yourself before you trust it with your money, attention, or time, instead of trusting a stranger's tweet.
Think of it like a ten-minute background check before a blind date. You are not hiring a private investigator. You are just doing the two or three quick checks that catch the obvious disasters: the person who lied about their name, the "too good to be true" story, the thing that does not add up. In crypto, the same small effort filters out most of the traps, because most traps are not subtle. They are just aimed at people who never look.
The good news: you do not need to be technical, and you do not need to buy anything to research. Understanding comes first, and any decision about money comes much later, if at all.
What should you check first?
Start with the disqualifiers, not the details. This is the single biggest mistake beginners make: they spend forty minutes reading a slick website and never ask the ten-second questions that would have ended the whole look.
Here is the order that saves you time, running the cheap checks before the expensive ones:
- Can they explain who pays you, in one sentence? Every real project has an honest answer to "where does the yield come from?" A lending app earns interest from borrowers. An exchange earns fees from traders. If the only answer is "the token goes up" or a vague "the protocol generates returns," stop. Money has to come from somewhere. If nobody can name the somewhere, the somewhere is usually new depositors, and that is the shape of a Ponzi.
- Is the team real and accountable? More on this below, but a quick glance tells you a lot.
- Do the numbers make sense? Fixed 2% daily returns, "risk-free" yield, "guaranteed" anything. Real finance does not promise fixed high returns, because the world does not work that way.
- Is there a real audit, from a firm you can name? We will come back to this, because it is the one technical check that is easy for a beginner to run.
Run these first. If a project fails any of them, you are done. You just saved nine minutes.
Here is the auditor's mindset that makes this fast: most projects that are going to fail, fail one cheap test. My job as a smart contract auditor is partly to find the cheapest test that breaks a thing, and then run that one first. You can do the same. You are not trying to fully understand the project. You are trying to find the one obvious crack, and most bad projects have one near the surface.
What are instant red flags (disqualifiers)?
Some findings are not "concerns to weigh." They are full stops. If you see one of these, the research is over, no matter how good the rest looks. A great website does not cancel out a fatal flaw.
Disqualifier 1: an anonymous team that controls the money. Anonymous builders are not automatically bad. Plenty of respected developers stay pseudonymous. The problem is anonymity plus control of funds. If a nameless, faceless team can withdraw the treasury, pause your withdrawals, or mint unlimited tokens, you have no recourse when they vanish. There is nobody to sue, nobody to shame, nobody to find. That combination, hidden identity and a hand on the money, is the classic setup for a rug pull, where the team drains the funds and disappears. Anonymous is fine. Anonymous with the keys to the vault is a disqualifier.
Disqualifier 2: "guaranteed" or fixed high returns. Any promise of a fixed daily or weekly return, "risk-free" yield, or "guaranteed" profit is a lie by construction. Returns in a real system move up and down because they depend on real activity: borrowers borrowing, traders trading, demand rising and falling. A number that never moves is not a return, it is a recruiting pitch. The moment new deposits slow down, the fixed payout stops, and the last people in lose everything. If you want the honest version of earning in this space, how to earn in DeFi walks through where real yield actually comes from.
Disqualifier 3: they cannot explain who pays you. This is the deepest one, and it is the same test I described above from a different angle. Ask, in plain words: who is on the other side of my profit? In a healthy system you can always name them. Borrowers pay lenders. Traders pay liquidity providers. Users pay for a service. If the answer is circular ("the token rewards holders, and holding pushes the token up, which rewards holders"), there is no outside money coming in. It is a closed loop that only survives while new people keep feeding it. That is not an investment, it is a chair-removal game with extra steps.
Notice that all three disqualifiers are things a total beginner can check in under a minute, without reading a single line of code.
How do you check the team and the token?
If a project survives the disqualifiers, spend your next few minutes on who runs it and how the token works. These two lenses surface most of the remaining traps.
The team lens. You are looking for accountability, not celebrity. A few quick questions:
- Are there real, named people with a track record you can verify? A public founder with a history, past projects, a reputation to lose, is a good sign. It means someone has skin in the game.
- Who controls the critical functions? In crypto, "control" usually means who holds the admin keys, who can upgrade the contracts, and who can move the treasury. If one anonymous wallet can do all of it, that is centralization risk, even if the marketing screams "decentralized." A DAO that actually spreads control across many voters is stronger than a "community" that is really one person with a keyboard.
- Does the community feel real or rented? A comments section full of identical "great project, wen moon" replies is a bought crowd, not organic interest. Real communities argue, ask hard questions, and complain about bugs.
The token lens. The tokenomics, meaning how the token is created, distributed, and used, tells you who the project is really built for. Quick checks:
- Who gets the supply? If a huge share goes to the team and insiders and only a sliver to the public, the deck is stacked against you. When those insiders sell, you are the exit liquidity.
- Is ownership concentrated? A single whale, one wallet holding a large chunk of the supply, can crash the whole market alone by selling. Concentrated ownership is a standing risk that has nothing to do with how nice the product is.
- What is the token actually for? Does it do a real job (pay fees, secure the network, grant governance), or is its only feature "line goes up"? Apply the honest test: if the price froze forever, would this token still be useful for anything? If not, you have found the crack. Our full breakdown lives in tokenomics explained.
You are not grading these on a curve. You are looking for the one answer that turns a "maybe" into a "no."
How do you check if it's secure?
This is where a lot of beginners freeze, because they assume checking security means reading code. It does not. There is one security check that is easy, fast, and catches an enormous amount: is there a real audit, and can you name the firm that did it?
A smart contract is a small program that holds and moves real money on a blockchain, and once it is deployed it runs exactly as written, bug and all. There is no support line to reverse a mistake. That is why serious projects pay independent security firms to audit their code before launch. As someone who does this for a living, here is what I want you to look for, and what to distrust:
- A named audit from a firm you can look up. "Audited by [real firm]" with a public report you can open is a green flag. It means outside experts examined the code and published what they found.
- Distrust "audited" with no name and no report. The word "audited" on a landing page means nothing on its own. If there is no firm named and no report linked, treat it as if there is no audit at all. Anyone can type the word.
- An audit is not a guarantee. Even audited projects get hacked. Code changes after the audit, or the audit only covered part of the system. An audit lowers risk, it does not remove it. If you are curious why bugs still slip through, why crypto gets hacked explains the real reasons.
For a beginner, the security lens is mostly binary: is there a credible, named, published audit, yes or no? That single check does more work than any amount of squinting at code. If you want the plain-English foundation, crypto security basics covers the rest of the survival rules.
Put it all together and DYOR is just four quick lenses run in order: disqualifiers, team, token, security. Ten seconds each on the easy ones, a couple of minutes on the rest. If any lens returns a full stop, you stop. That discipline, ending your look the moment you find a fatal flaw, is what keeps the whole thing under ten minutes.
Related questions
What does DYOR stand for? DYOR stands for "do your own research." In crypto it means checking a project yourself, its team, token, and security, before trusting it, rather than relying on a stranger's recommendation or hype.
How long should researching a crypto project take? For a first pass, about ten minutes. You run a few quick lenses and stop the moment you hit a disqualifier. Most projects that are going to fail fail one cheap, obvious test, so you rarely need to go deep before deciding it is a no.
Do I need to understand code to DYOR? No. The most powerful checks are non-technical: can they explain who pays you, is the team accountable, is the token concentrated in a few wallets. The one security check, "is there a named, published audit," also needs zero coding.
What is the single biggest red flag in a crypto project? A promise of guaranteed or fixed high returns, closely tied with an anonymous team that controls the funds. Both mean you carry all the risk and have no recourse. Either one alone is enough to walk away.
Is a project safe if it has an audit? Safer, not safe. A real audit from a named firm lowers risk and is a green flag. But code changes, audits cover only part of a system, and audited projects still get hacked. Treat an audit as one good sign among several, never as a guarantee.
Where to go next
DYOR is not a research paper. It is a ten-minute background check you run before you trust anything: disqualifiers first, then team, then token, then security, stopping the instant you find a fatal flaw. The skill is not reading everything. It is knowing the cheap tests that catch the obvious traps, and running them first. If you want to see why so many beginners skip this and pay for it, why beginners lose money in crypto is the honest companion to this piece, and common crypto scams shows the traps this method is built to catch.
The best way to make this second nature is to practice it on a real project, guided. Your First 90 Days in Web3 includes a hands-on checkpoint, "how to evaluate a project," that walks you through these exact lenses on live examples, taught with a security auditor's eye. Start below, it is free, and you do not need an account.
Tagged