1.1 Crypto company as an organism

Blockchain development happens tremendously fast. One reason for that is its usefulness in many other industries like finance, art or supply chain. Another reason - crypto transactions have value behind it, and value attracts people. Third, but neither least, nor last reason - most of it is open source code. Whenever a project fails to deliver upon its promises, there is still some code left that can be reused. This gives an edge to any developer who likes to try their skills in solving real world problems.

These aspects resemble a living organism - it finds and fits to the ecosystem, absorbs available resources and creates offspring that lock in useful mutations.

Whenever you do the research of a crypto project, it might be useful to think of it as an evolving organism.

1.2 TGE and its limitations

In previous lessons we’ve touched upon Token Generation Events and how important it is to know where tokens were allocated. However, there are a number of limitations to this approach:

• Tokens could be generated on one contract, but then migrated to another due to evolution of the project.

• There could be a hack that moved some of the unlocked tokens.

• Tokens could be generated gradually, along with user activity.

• And if a project is old enough, there are a lot of token movements which obfuscate the track.

• A number of tokens could be burned right after minting, increasing the percentage of tokens distributed to the participants

Still, the best way to investigate the project is to follow the money, i.e., tokens. One way to do that is to follow large transactions. To do that, you can go to a Token Tracker page, and then switch to Analytics tap. There you will be able to see the days where large amounts of tokens were moved, and search for these specific transactions.

1.3 Follow the money

The lifecycle of tokens may start with the Big Bang (TGE), or through a continuous minting process (inflation). Understanding the source of token creation is important to understand the current state of tokenomics.

Whenever tokens are minted in bulk, they often go to a smart contract deployer. In this case our job is to trace where the contract deployer sent tokens later.

Example:

1.4 Breadcrumbs

In order to follow all transactions that have been done by the smart contract deployer, it can be beneficial to see them in another tool.

Go to https://www.breadcrumbs.app/ , choose a type of token you would like to follow (in our case it’s UMA, an ERC20 token), enter its smart contract address, and then copy the address of a deployer into the Breadcrumbs app.

Here you will be able to visualize all transactions made by an address, and follow the path of UMA tokens to the current holders.

At this point, our goal is to follow the token to today’s top holders.

2.1 Token holders and already existing labels

As you browse through the list of current token holders, you might notice that some of the addresses have already been labeled.

• https://etherscan.io/token/0x6810e776880c02933d47db1b9fc05908e5386b96#balances * Example:

Considering the vastness of data on blockchains and the expanding nature of crypto projects, labels make the lives of regular users much easier. However, it's done by the same regular users, and is an example of how people can bring public good into the industry.

Imagine how straightforward blockchain research could have been if all major token holders are labeled in the same manner. This is where your effort can really scale up and help millions of people.

2.2 Principles of labeling

In the example above there is a pattern of which addresses are labeled, and which aren’t. Two of most commonly labeled types of addresses are those which belong to the team and exchanges. Usually these are the biggest token holders, and it is of utmost importance to know whom they belong to.

Another set of addresses that is labeled are exploiters. Whenever a hack happens, it is a priority to identify the wallet of an attacker and label it for further monitoring. Here are some examples:

• *https://etherscan.io/address/0x07e02088d68229300ae503395c6536f09179dc3e **

• *https://etherscan.io/address/0xe74b28c2eae8679e3ccc3a94d5d0de83ccb84705 **

The best thing is that now you can search for these exploiters in Breadcrumbs app as well.

2.3 Label Word Cloud

So there are labels on some addresses. But how would one find other examples of these labels?

Etherscan has a page dedicated to all the labels you can find on a platform. From this page you can find, for example, all known Alameda Research wallets.

• *https://etherscan.io/labelcloud **

This page will also give you an idea on what categories there are that might help you in the future to label unknown wallets yourself.

2.4 Making assumptions

Now, armed with the ability to track big token transfers from the deployer to the current holder, as well as some of the examples from the Label Word Cloud, you can start to make assumptions on who are the largest current token holders.

What are parameters you might take into consideration? If a large transaction has been made directly from smart contract deployer’s address, it is reasonable to assume that the end receiver is closely related to the team, advisory board or to early investors.

Investment wallets could also be spotted by looking at other tokens which these addresses hold. If it is a diverse set of tokens, and some of them were transferred to this account directly from the deployer - most likely it is an early stage investment entity.

3.1 Reading a coherent story

In many cases it would be hard to give a definitive answer. Often enough entities are using the pseudonymous nature of a blockchain to hide their involvement in specific projects, especially if they are fraudulent. There is also a problem of assuming the intent of the transaction - in many cases it is almost impossible to do.

What a researcher can do is to gather some evidence and make an assumption based on them. This evidence can be found in many places, not only on-chain. Sometimes it can be beneficial to paste an address you are investigating into a search engine just to see if there are any mentions of it.

There is a thin line between assuming the identity of an address and making a wild guess. And by accumulating as much evidence as possible will improve your chances of identifying an entity correctly.

3.2 Transaction parameters that can be useful (date, cumulative number of tokens)

Apart from the token holder addresses, pay a close attention to the details of large transactions. Look at the dates and check if they are made at the same time as funding rounds or around a Token Generation Event. That would decrease the number of possibilities for the label of a specific token holder.

Another important factor is that transactions can be divided into many smaller ones. Sometimes it is useful to look at the cluster of transactions to see that the amount of tokens transferred in them is equal to the number you are familiar with, for example, from a white paper.

An example of such behavior can be found in our earlier slides where we looked at Jones DAO and how they distributed Team tokens.

Last but not least, always check the log of a transaction. It might give you an idea which methods have been called.

3.3 Introduction in inconsistent behavior (differences between what’s written and reality)

The reason to do the research is to see if there are any red flags about a crypto project. There can be many examples of such flags. Some of them we’ve discussed previously, others we will touch in future slides. However, one of the most important parameters to look at is whether the team is consistent in what they are doing.

To see the pattern, we need to be acknowledged with their whitepaper and then look at the token transfers. Do they resemble what is written? If there are any changes, is the team clearly communicating about what those are? If there are sudden changes in team behavior and project direction, it should immediately be noticed.

An important part of any crypto project is their community. So sometimes it is beneficial to go to their Discord channel and to provoke some activity. Is the community capable of answering your questions? Can they provide clear and direct links to back their statements about the project?

3.4 Additional red flags

If there are one or two issues with the token misuse, it is still not clear if the project is fraudulent. However, the more red flags you find, the closer attention you have to pay.

In addition to what was discussed above, here are some other red flags you might notice:

• Unverified smart contract (no green check mark next to a Contract tab on a Token Tracker Page)

• Ownership of a token smart contract is not renounced (you can check it in Blockchain Explorer under the Contract > Read Contract > owner. If there is anything else but zero address, the ownership is not renounced)

• Read the audit report and pay attention to its result. Check if the audited code is similar to the one deployed on a blockchain.

4.1 Identification of address owners

The vast majority of crypto projects do not share their addresses. But a trained eye can see the history, connect the dots and make an educated guess. Sometimes the community of the project of choice can help out with your research.

By exploring a whitepaper, TGE, transfers of large amounts of tokens, as well as being able to trace how current holders acquired their positions will give you a detailed picture of the money trace.

Paying attention to the red flags can give you enough warning signs to assume some of the intentions behind transactions.

4.2 Token status

Whenever you analyze a token holder, it is useful to pay attention to the status of tokens located on a wallet or smart contract. It is where all your previous lessons work together. Can tokens be moved? This can be found under the “Contract” > Read Contract” > vesting methods such as “locked”, “start_time”, “end_time” and “cliff_length”.

If you see a “Null Address: 0x…” among token holders, this means that tokens located on it have been burned. If tokens are continuously entering the supply through vesting, mining, farming or staking contracts - these are vested tokens.

Funds that are located on multisigs should be considered as “unlocked” - the only thing that prevents them from leaving the wallet are the signatures of the multisig owners.

There are several ways you can reach information you need, and sometimes it is beneficial to compare the results. Stay vigilant!

4.3 Tokens on other networks

And the last important thing to remember is that tokens may be located (and therefore burned) on several networks. If you feel like in your research you are missing some part of information, try to search for it on blockchains that are compatible with the primary network.

Sometimes teams can move their treasury to blockchains with smaller fees or more advanced instruments. Or a scammer can make a fake coin that mimics the original, and the only way to make the distinction is to see the origin of this token - which can be located on the other network.