Skip to main content
A new token or collateral asset always looks fine at first glance. The chart is clean, the pool has volume, the contract is verified. What that surface view hides is the risk that actually costs you: a deployer with a history of rugged contracts, liquidity that is thin or unlocked, a stablecoin drifting off its peg, or a vault whose governance can move funds without a timelock. All of it is detectable before you allocate. This guide walks through the due diligence a curator, exchange listing team, or allocator should run on any new asset, token, or vault before committing capital.

Why Pre-Allocation Due Diligence Matters

Catch It Before Capital Moves

Screen contracts, deployers, and liquidity before you list or allocate, not after funds are locked

Deployer-Level Signal

Surface a deployer’s history across other contracts, not just the asset in front of you

One Workflow, Any Asset Type

Tokens, vaults, stablecoins, and RWAs all resolve through the same due diligence chain
Why teams choose Webacy for due diligence:
  • Cheapest checks first: contract and threat screening return in milliseconds, before you spend time on deeper liquidity or rating analysis
  • Deployer risk, not just contract risk: deployer_risk=true surfaces what else the deployer has shipped and whether it was flagged
  • Graded ratings for regulated-adjacent assets: vaults, stablecoins, and RWAs get an A+ to F composite grade, not just a raw score
  • Fail-closed by design: missing or stale data is treated as unknown risk, never as a pass

Prerequisites

Before running due diligence, ensure you have:
  • A Webacy API key (sign up here)
  • Basic familiarity with REST APIs or the Webacy SDK
  • Your listing, collateral-onboarding, or allocation workflow identified for integration points

Step 1: Scan the Contract and Its Deployer

Start with the cheapest, fastest check. Every new asset is a contract, scan it, and pull its deployer’s history in the same call with deployer_risk=true.
Response fields to use:
Try it now: Call this endpoint with 0x2260FAC5E5542a773Aa44fBCfeDf7C193bc2C599 (WBTC) and chain=eth. Compare deployer.risk.overallRisk against a token whose deployer has multiple flagged deployed_contracts[]. The deployer signal is often the earliest warning, before the token’s own market history exists.

Step 2: Assess the Address for Threats

Contract scanning tells you about the code. Address screening tells you about behavior, run the candidate asset’s contract address (and, separately, any admin or treasury address tied to it) through threat assessment.
Response fields to use:

Step 3: Break Down Market and Liquidity

A clean contract with no liquidity is still a bad allocation. Pull the token’s pools to see where price discovery actually happens and how deep the liquidity is.
Response fields to use: Spot the difference, two pools, one healthy allocation candidate: Both pools can carry the same poolType label. Only reserve, lockedLiquidityPercent, and lpHolderCount tell you which one you can trust.

Step 4: Pull the Graded Rating (Vaults, Stablecoins, RWAs)

If the candidate asset is an ERC-4626 vault, a stablecoin, or a real-world asset, pull its graded v3 rating. Use the right endpoint for the asset type:
On both v3 endpoints, composite.score and each categories.*.score run 0-100 where higher means more risk: A+ grades score near 0, F grades score near 100. This is the opposite of a health or safety score. Don’t treat a high number as good.
v3 rating fields to use: Depeg detail fields to use (stablecoins): For deeper coverage of depeg monitoring, see the Monitor Stablecoin Depeg Risk guide.
There is no stale or generated_at field on the v3 detail endpoints, use metadata.last_scored_at to judge freshness, and fail closed per the hard-gating rules if it’s older than your policy allows.

Complete Due Diligence Workflow

Here’s how the full playbook fits together, from a new asset landing on your desk to an allocate/review/reject decision.

Implementation Example


Example Addresses for Testing


API Quick Reference

Authentication:

Ready to Ship?

  1. Get your API key: Takes 2 minutes
  2. Run the workflow against the example addresses: Confirm each step returns the fields your policy needs
  3. Wire the decision function into your listing or allocation pipeline: Fail closed on missing or stale data

Next Steps

Ongoing Risk Monitoring

Keep watching an asset after you’ve allocated to it

Contract Risk API

Full reference for the contract and deployer risk scan

Vault Risk (V3) API

Full reference for the graded vault rating

Depeg Monitor API

Full reference for stablecoin and RWA depeg detail