Published: Jul 17, 2026, 12:04 PM · Last updated: Jul 17, 2026, 12:06 PM
Building a Pre-Launch Vetting Checklist: 27 Red Flags Investors Miss in New Crypto Projects

The pre-launch phase is where most of the damage gets hidden
By the time a token hits an exchange, the story is already written. The contract is deployed, the liquidity is locked or it isn't, the team has either renounced ownership or kept a backdoor open. Everything that matters happened before you ever saw the chart. And that's exactly the window most investors skip, because there's no price action to stare at yet.
I've watched people do meticulous technical analysis on projects that had a mint function anyone could call. They read the whitepaper twice and never checked whether the deployer wallet was three days old. The chart looks great right up until it doesn't.
So here's a working checklist. Not a theoretical one. These are the things that actually get people rugged, organized so you can run through them before you commit anything.
Contract-level red flags (numbers 1 through 11)
Start with the code, because everything else is marketing until you've read it.
1. Unrenounced ownership with dangerous privileges. Renouncing isn't always required, but if the owner can pause transfers, blacklist wallets, or mint at will, you're trusting a stranger. 2. Hidden mint functions. A supply that can be inflated after launch is the oldest trick there is. 3. Modifiable transaction fees. If the team can crank the sell tax to 99% on a whim, they will, eventually. 4. Blacklist or whitelist logic that lets the deployer freeze specific holders. 5. Proxy contracts with upgradeable logic and no timelock, which means the whole thing can be swapped out silently.
Then the sneakier stuff. 6. Honeypot mechanics that let you buy but never sell. 7. Liquidity that isn't actually locked, or is "locked" with a contract the team controls. 8. Copy-pasted code from a known scam with the variable names changed. 9. Reentrancy vulnerabilities in anything handling funds. 10. Unchecked external calls. 11. A deployer wallet funded straight from a mixer with no history.
Half of these you can catch by reading a proper audit report. The other half need live behavioral checks, which is where a BlockVet security score earns its keep, because it runs risk assessment against thousands of projects instead of you squinting at a block explorer at 2am.
Team and tokenomics flags (12 through 19)
Code can be clean and the project can still be a slow-motion exit. This is the softer layer, and it's where investors get lazy.
12. Anonymous teams are not automatically bad, but anonymous teams holding 40% of supply with no vesting are. 13. Check the vesting schedule. If the whole allocation unlocks in month one, that's a countdown timer. 14. Insider wallets holding a huge concentrated share. 15. LP tokens that unlock a week after launch. 16. Fake or purchased KYC badges, which are trivially bought now. 17. A "partnership" list where none of the partners have ever mentioned the project. 18. Recycled team members from a project that already collapsed. 19. Reused profile photos and stolen LinkedIn bios, which sounds obvious but still works constantly.
The truth is, most of these can be triangulated. One anonymous founder is a shrug. An anonymous founder plus a mixer-funded deployer plus a one-week LP lock plus zero real partners is a pattern, and patterns are what you're actually hunting for.
Ecosystem and behavioral flags (20 through 27)
The last batch lives outside the contract entirely, in how the project behaves in the wild.
20. Engagement that's all bots, thousands of Telegram members and no real conversation. 21. Comments disabled or heavily moderated on every channel. 22. Sudden influencer push right before launch, all posting the same caption. 23. A launch date that keeps getting delayed with vague excuses. 24. No audit at all, or an audit from a firm nobody can verify. 25. An audit that exists but was clearly ignored, findings marked "acknowledged" and never fixed. 26. Contract source code that isn't verified on the explorer. 27. A domain registered last month for a project claiming two years of development.
That last one gets me every time. People will believe a roadmap going back to 2021 while the website's SSL certificate is younger than a carton of milk.
Running the checklist without losing your mind
Twenty-seven items is a lot to check by hand for every project you look at, and honestly nobody does it consistently. That's the real gap. Not a lack of knowledge, a lack of stamina. You'll run the full list on the first three projects of the week and eyeball the rest.
This is the argument for a monitoring layer rather than manual review. A security intelligence dashboard that tracks pre-launches, new launches, and blue-chip projects side by side lets you filter on risk before you spend an hour reading. BlockVet monitors over 3,000 projects live and puts security scoring, audit status, and a watchlist in one place, which turns "I should really check that" into something you actually do.
Now, how does this sit against the bigger audit names? CertiK and Quantstamp built their reputations on deep manual smart-contract audits, and OpenZeppelin's libraries basically underpin half the contracts you'll ever read. Trail of Bits and ConsenSys Diligence sit at the heavyweight end for serious protocol work, while SlowMist and Hacken cover a broad range of audit and incident response. Most of those are report-driven engagements, though, the kind you commission and wait on. The pre-launch problem is different: you're screening dozens of projects fast, before anyone's paid for a formal audit, and that's continuous monitoring territory rather than one deep report.
Use both. Read the formal audit when there is one. But run your 27-point screen first, because the projects most likely to hurt you are the ones that never bothered getting audited at all. If you want to see how live vetting looks across thousands of projects at once, the BlockVet dashboard is a reasonable place to start.
The checklist isn't magic. It won't catch a genuinely sophisticated exploit, and no tool fully replaces reading the code. What it does is filter out the obvious 80%, so the time you have left goes toward the projects that actually deserve a second look.
Written by the CreatorFetch.com editorial team.