I used to be a little paranoid, thinking that “I only look at on-chain” was enough— the code is right there, and no one can fool me. Later, after a few upgrades went wrong (especially cases where multi-signature rules were temporarily changed), I finally realized: on-chain is just the outcome; a lot of credibility is hidden off-chain.

Here’s a dumb-but-effective method for beginners: don’t rush to read those few pages of flowery praise in the audit conclusion. Instead, go to GitHub and check whether the most recent commits are being pushed by just one or two people; whether there are issues that nobody bothers to follow up on; and whether urgent fixes are often handled in the pattern of “get on the bus first, then get the ticket later.” Don’t treat the audit report as a get-out-of-jail-free card either—focus on the scope, how known issues are handled, and whether there are clear regression tests and an upgrade process. Then look closely at multi-signature upgrades: who is involved, how many keys there are, and whether there’s a timelock. What’s most worrying is that kind of verbal promise like “we’ll add more when needed.”

Recently, Meme and celebrity shilling has been picking up again. With each wave of attention moving to the next thing, newcomers are especially likely to end up taking the last step. Put simply, the busier it is, the more you should put “can it survive?” first—don’t let your emotions do the risk management for you.