I’m currently checking whether the project is “reliable,” and I really don’t want to get bamboozled again by that whole testnet points routine. Every day I’m just guessing whether the mainnet will issue tokens—only to find out I’m basically just working… So I use the dumb-but-convenient three-piece set: first, check GitHub to see whether people have been actively working on it long-term (not that I expect to understand the code—at least make sure they’re not bragging about big progress while having zero commits for three months); then take a quick look at the audit report, focusing on whether it has conclusions of “fixed/unfixed,” and don’t just use a logo screenshot as a get-out-of-jail free card; finally, check upgrade permissions—who the multi-sig addresses belong to, how many signers there are, whether there’s a delay, and whether you can change the rules with a single click—this is more honest than the white paper. Anyway, I’m a compulsive person: if I can automate the record, I’ll do it; if the information is too vague, I just skip it—so I don’t end up being treated as yet another testnet points “greenhorn” getting farmed.