Every time I see someone puffing, “We’ve been audited, the code is open-source on GitHub, so it’s absolutely safe,” I can’t help but laugh. An “audit report”—let’s be blunt—is basically a medical checkup report. If you were in good shape during the checkup, it doesn’t mean you won’t die suddenly tomorrow. And as for a GitHub repository—no matter how nicely the code is written—once the multisig control authority gets swapped during an upgrade, or if the contract quietly has a backdoor hidden in it, you wouldn’t be able to tell at all.



Recently, new L1/L2 projects have been rolling out incentives to pull TVL, and veteran users are all complaining about “mining-to-withdraw-and-sell.” In fact, what newcomers should look at isn’t the TVL figure—it’s the address list and permissions for the upgrade multisig. It’s just like renting a place: the landlord says the apartment has been renovated, but you still need to check whether the contract includes a clause that lets the rent go up anytime. Who are the multisig holders—are they the project team themselves, or the community? If there are only 3 addresses, and 2 of them belong to the same team, then that “house” could be dismantled at any moment.

Anyway, my habit is: first, check the GitHub commit history to see whether someone suddenly added an “emergency withdrawal” function to the contract; then, read the audit report to see whether any “known issues” were being ignored; and finally, look up the multisig signature threshold and the holders. Don’t trust any talk about “always reaching consensus.” Liquidity is the real deciding factor.
L1-84.23%
View Original
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • Comment
  • Repost
  • Share
Comment
Add a comment
Add a comment
No comments
  • Pinned