> ## Documentation Index
> Fetch the complete documentation index at: https://docs.webacy.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Run Due Diligence on a New Asset

> Pre-allocation due diligence for curators and allocators: chain contract and deployer risk, threat screening, liquidity depth, and graded v3 ratings.

A new token or collateral asset always looks fine at first glance. The chart is clean, the pool has volume, the contract is verified. What that surface view hides is the risk that actually costs you: a deployer with a history of rugged contracts, liquidity that is thin or unlocked, a stablecoin drifting off its peg, or a vault whose governance can move funds without a timelock. All of it is detectable before you allocate. This guide walks through the due diligence a curator, exchange listing team, or allocator should run on any new asset, token, or vault before committing capital.

## Why Pre-Allocation Due Diligence Matters

<CardGroup cols={3}>
  <Card title="Catch It Before Capital Moves" icon="magnifying-glass">
    Screen contracts, deployers, and liquidity before you list or allocate, not after funds are locked
  </Card>

  <Card title="Deployer-Level Signal" icon="shield-halved">
    Surface a deployer's history across other contracts, not just the asset in front of you
  </Card>

  <Card title="One Workflow, Any Asset Type" icon="scale-balanced">
    Tokens, vaults, stablecoins, and RWAs all resolve through the same due diligence chain
  </Card>
</CardGroup>

**Why teams choose Webacy for due diligence:**

* **Cheapest checks first**: contract and threat screening return in milliseconds, before you spend time on deeper liquidity or rating analysis
* **Deployer risk, not just contract risk**: `deployer_risk=true` surfaces what else the deployer has shipped and whether it was flagged
* **Graded ratings for regulated-adjacent assets**: vaults, stablecoins, and RWAs get an A+ to F composite grade, not just a raw score
* **Fail-closed by design**: missing or stale data is treated as unknown risk, never as a pass

***

## Prerequisites

Before running due diligence, ensure you have:

* A Webacy API key ([sign up here](https://developers.webacy.co/billing))
* Basic familiarity with REST APIs or the [Webacy SDK](/sdk/installation)
* Your listing, collateral-onboarding, or allocation workflow identified for integration points

***

## Step 1: Scan the Contract and Its Deployer

Start with the cheapest, fastest check. Every new asset is a contract, scan it, and pull its deployer's history in the same call with `deployer_risk=true`.

<CodeGroup>
  ```bash cURL theme={null}
  curl -X GET "https://api.webacy.com/contracts/0x2260FAC5E5542a773Aa44fBCfeDf7C193bc2C599?chain=eth&deployer_risk=true" \
    -H "x-api-key: YOUR_API_KEY"
  ```

  ```typescript TypeScript theme={null}
  const response = await fetch(
    'https://api.webacy.com/contracts/0x2260FAC5E5542a773Aa44fBCfeDf7C193bc2C599?chain=eth&deployer_risk=true',
    { headers: { 'x-api-key': process.env.WEBACY_API_KEY } }
  );
  const contract = await response.json();

  console.log(`Contract score: ${contract.score}/100`);
  console.log(`Tags: ${contract.tags?.join(', ')}`);
  console.log(`Deployer overall risk: ${contract.deployer?.risk?.overallRisk}`);
  console.log(`Deployer issues: ${contract.deployer?.risk?.issues?.length ?? 0}`);
  ```

  ```python Python theme={null}
  import requests

  response = requests.get(
      "https://api.webacy.com/contracts/0x2260FAC5E5542a773Aa44fBCfeDf7C193bc2C599",
      params={"chain": "eth", "deployer_risk": "true"},
      headers={"x-api-key": "YOUR_API_KEY"}
  )
  contract = response.json()
  ```
</CodeGroup>

**Response fields to use:**

| Field                                       | Description                                       | Action                                                    |
| ------------------------------------------- | ------------------------------------------------- | --------------------------------------------------------- |
| `score`                                     | 0-100 contract risk score                         | Set your listing threshold                                |
| `tags[]`                                    | Contract-level risk tags                          | Check for honeypot, proxy, or mint-authority flags        |
| `categories[]`                              | Grouped risk categories                           | Understand which dimensions are driving the score         |
| `metadata`                                  | Contract name/symbol                              | Confirm the asset matches what you expect to list         |
| `deployer.address`                          | The address that deployed this contract           | Track across other assets you're evaluating               |
| `deployer.risk.overallRisk`                 | Deployer's own risk score                         | A risky deployer is a red flag even on a clean contract   |
| `deployer.risk.high` / `.medium` / `.count` | Severity breakdown of deployer issues             | Prioritize review                                         |
| `deployer.risk.issues[]`                    | Specific deployer risk findings                   | Understand what the deployer has been flagged for         |
| `deployer.deployed_contracts[]`             | Other contracts from this deployer                | Check whether they've shipped rugs or exploits before     |
| `deployer.risk.isContract`                  | Whether the deployer address is itself a contract | Distinguish EOA deployers from factory/multisig deployers |

<Tip>
  **Try it now**: Call this endpoint with `0x2260FAC5E5542a773Aa44fBCfeDf7C193bc2C599` (WBTC) and `chain=eth`. Compare `deployer.risk.overallRisk` against a token whose deployer has multiple flagged `deployed_contracts[]`. The deployer signal is often the earliest warning, before the token's own market history exists.
</Tip>

***

## Step 2: Assess the Address for Threats

Contract scanning tells you about the code. Address screening tells you about behavior, run the candidate asset's contract address (and, separately, any admin or treasury address tied to it) through threat assessment.

<CodeGroup>
  ```bash cURL theme={null}
  curl -X GET "https://api.webacy.com/addresses/0x2260FAC5E5542a773Aa44fBCfeDf7C193bc2C599?chain=eth" \
    -H "x-api-key: YOUR_API_KEY"
  ```

  ```typescript TypeScript theme={null}
  const response = await fetch(
    'https://api.webacy.com/addresses/0x2260FAC5E5542a773Aa44fBCfeDf7C193bc2C599?chain=eth',
    { headers: { 'x-api-key': process.env.WEBACY_API_KEY } }
  );
  const threat = await response.json();

  console.log(`Overall risk: ${threat.overallRisk}/100`);
  console.log(`Is contract: ${threat.isContract}, type: ${threat.addressType}`);
  console.log(`High severity issues: ${threat.high}`);
  ```

  ```python Python theme={null}
  response = requests.get(
      "https://api.webacy.com/addresses/0x2260FAC5E5542a773Aa44fBCfeDf7C193bc2C599",
      params={"chain": "eth"},
      headers={"x-api-key": "YOUR_API_KEY"}
  )
  threat = response.json()
  ```
</CodeGroup>

**Response fields to use:**

| Field                       | Description                                | Action                                                  |
| --------------------------- | ------------------------------------------ | ------------------------------------------------------- |
| `overallRisk`               | 0-100 composite threat score               | Set your review threshold (e.g., >= 50 = manual review) |
| `count` / `medium` / `high` | Issue counts by severity                   | Escalate anything with `high` counts                    |
| `issues[]`                  | Each has `score`, `tags[]`, `categories[]` | Understand the specific threats detected                |
| `context[]`                 | Supporting context for the assessment      | Read before overriding a flag                           |
| `isContract`                | Whether the address is a contract          | Confirm you're screening the right entity               |
| `addressType`               | Classification of the address              | Distinguish EOAs, contracts, and known entity types     |

***

## Step 3: Break Down Market and Liquidity

A clean contract with no liquidity is still a bad allocation. Pull the token's pools to see where price discovery actually happens and how deep the liquidity is.

<CodeGroup>
  ```bash cURL theme={null}
  curl -X GET "https://api.webacy.com/tokens/0x2260FAC5E5542a773Aa44fBCfeDf7C193bc2C599/pools?chain=eth" \
    -H "x-api-key: YOUR_API_KEY"
  ```

  ```typescript TypeScript theme={null}
  const response = await fetch(
    'https://api.webacy.com/tokens/0x2260FAC5E5542a773Aa44fBCfeDf7C193bc2C599/pools?chain=eth',
    { headers: { 'x-api-key': process.env.WEBACY_API_KEY } }
  );
  const { pools } = await response.json();

  for (const pool of pools) {
    console.log(
      `${pool.poolType} | Reserve: $${pool.reserve} | Locked: ${pool.lockedLiquidityPercent}% | ` +
      `24h volume: $${pool.volume?.h24}`
    );
  }
  ```

  ```python Python theme={null}
  response = requests.get(
      "https://api.webacy.com/tokens/0x2260FAC5E5542a773Aa44fBCfeDf7C193bc2C599/pools",
      params={"chain": "eth"},
      headers={"x-api-key": "YOUR_API_KEY"}
  )
  pools = response.json()["pools"]
  ```
</CodeGroup>

**Response fields to use:**

| Field                           | Description                       | Action                                                  |
| ------------------------------- | --------------------------------- | ------------------------------------------------------- |
| `fdv`                           | Fully diluted valuation           | Compare against `market_cap` to gauge dilution risk     |
| `market_cap`                    | Circulating market cap            | Sanity-check against liquidity depth                    |
| `token_price`                   | Current pool price                | Cross-check against other price sources                 |
| `reserve`                       | Pool liquidity in USD             | Low `reserve` means high slippage and manipulation risk |
| `lockedLiquidityPercent`        | Share of LP tokens locked         | Low or 0% is a rug-pull red flag                        |
| `lpHolderCount` / `lpHolders[]` | Number and identity of LP holders | Concentrated LP ownership is a withdrawal risk          |
| `volume.h24` / `.h1`            | Trading volume over time windows  | Confirm the pool is actually active, not just deployed  |
| `poolType`                      | DEX/pool implementation           | Understand the venue you're pricing against             |
| `issues[]`                      | Pool-level risk findings          | Review before treating the pool as reliable             |

**Spot the difference, two pools, one healthy allocation candidate:**

|                | `reserve` | `lockedLiquidityPercent` | `lpHolderCount` | Verdict                                                                       |
| -------------- | --------- | ------------------------ | --------------- | ----------------------------------------------------------------------------- |
| ✅ Healthy pool | \$4.2M    | 98%                      | 340             | Deep, locked, broadly distributed, safe to reference for pricing              |
| ❌ Risky pool   | \$8,500   | 0%                       | 2               | Thin, unlocked, two wallets control exit, do not treat this price as reliable |

Both pools can carry the same `poolType` label. Only `reserve`, `lockedLiquidityPercent`, and `lpHolderCount` tell you which one you can trust.

***

## Step 4: Pull the Graded Rating (Vaults, Stablecoins, RWAs)

If the candidate asset is an ERC-4626 vault, a stablecoin, or a real-world asset, pull its graded v3 rating. Use the right endpoint for the asset type:

| Asset type                | Endpoint                                     | Best for                                                            |
| ------------------------- | -------------------------------------------- | ------------------------------------------------------------------- |
| Vault (ERC-4626, curated) | `GET /v3/vaults/{address}?chain={chain}`     | Composite grade across strategy, governance, and liquidity criteria |
| RWA                       | `GET /v3/rwa/{address}?chain={chain}`        | Composite grade for tokenized real-world assets                     |
| Stablecoin / pegged token | `GET /rwa/{address}?chain={chain}&hours={n}` | Live peg deviation and liquidity depth, not a graded composite      |

<Warning>
  On both v3 endpoints, `composite.score` and each `categories.*.score` run 0-100 where **higher means more risk**: A+ grades score near 0, F grades score near 100. This is the opposite of a health or safety score. Don't treat a high number as good.
</Warning>

<CodeGroup>
  ```bash cURL theme={null}
  # Vault
  curl -X GET "https://api.webacy.com/v3/vaults/0x0deFfd509197aAD5207d2A55862835b467E8128F?chain=eth" \
    -H "x-api-key: YOUR_API_KEY"

  # RWA
  curl -X GET "https://api.webacy.com/v3/rwa/{rwaAddress}?chain=eth" \
    -H "x-api-key: YOUR_API_KEY"

  # Stablecoin depeg detail
  curl -X GET "https://api.webacy.com/rwa/0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48?chain=eth&hours=24" \
    -H "x-api-key: YOUR_API_KEY"
  ```

  ```typescript TypeScript theme={null}
  // Graded vault rating
  const vaultRes = await fetch(
    'https://api.webacy.com/v3/vaults/0x0deFfd509197aAD5207d2A55862835b467E8128F?chain=eth',
    { headers: { 'x-api-key': process.env.WEBACY_API_KEY } }
  );
  const vault = await vaultRes.json();

  console.log(`Grade: ${vault.composite.grade} (${vault.composite.stars} stars)`);
  console.log(`Composite score: ${vault.composite.score}/100, higher is worse`);
  console.log(`Coverage: ${vault.coverage.live_criteria}/${vault.coverage.total_criteria} criteria live`);
  console.log(`Last scored: ${vault.metadata.last_scored_at}`);

  // Stablecoin depeg detail
  const pegRes = await fetch(
    'https://api.webacy.com/rwa/0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48?chain=eth&hours=24',
    { headers: { 'x-api-key': process.env.WEBACY_API_KEY } }
  );
  const peg = await pegRes.json();
  console.log(`Tier: ${peg.snapshot.tier}, deviation from peg: ${peg.snapshot.abs_dev_clean}`);
  ```

  ```python Python theme={null}
  vault = requests.get(
      "https://api.webacy.com/v3/vaults/0x0deFfd509197aAD5207d2A55862835b467E8128F",
      params={"chain": "eth"},
      headers={"x-api-key": "YOUR_API_KEY"}
  ).json()

  peg = requests.get(
      "https://api.webacy.com/rwa/0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48",
      params={"chain": "eth", "hours": 24},
      headers={"x-api-key": "YOUR_API_KEY"}
  ).json()
  ```
</CodeGroup>

**v3 rating fields to use:**

| Field                                                               | Description                             | Action                                                                  |
| ------------------------------------------------------------------- | --------------------------------------- | ----------------------------------------------------------------------- |
| `schema_version`                                                    | Rating framework version                | Confirm you're reading a current schema                                 |
| `composite.grade`                                                   | Letter grade, A+ through F              | Fast pass/fail threshold for listing policy                             |
| `composite.stars`                                                   | Star rating derived from grade          | Display-friendly summary                                                |
| `composite.score`                                                   | 0-100, higher = more risk               | Set numeric thresholds; never invert the polarity                       |
| `categories.*.score` / `.criteria`                                  | Per-category breakdown                  | Identify which dimension (e.g. governance, liquidity) is weakest        |
| `coverage.framework_version` / `.total_criteria` / `.live_criteria` | How much of the framework has live data | Low coverage means the grade rests on fewer signals, treat with caution |
| `metadata.last_scored_at`                                           | Freshness timestamp                     | Fail closed if this is older than your policy allows                    |

**Depeg detail fields to use (stablecoins):**

| Field                                   | Description                  | Action                                                        |
| --------------------------------------- | ---------------------------- | ------------------------------------------------------------- |
| `snapshot.price` / `.peg_value`         | Current price vs. peg target | Compute deviation directly                                    |
| `snapshot.dev_clean` / `.abs_dev_clean` | Deviation from peg           | Set alert thresholds on absolute deviation                    |
| `snapshot.tier`                         | Categorized risk tier        | Quick pass/fail read                                          |
| `snapshot.score`                        | Depeg risk score             | Track alongside `tier`                                        |
| `token.markets[].liquidity_usd`         | Liquidity depth per venue    | Confirm redemption/exit liquidity exists                      |
| `token.score_delta_24h`                 | 24h change in score          | Catch deterioration even if the current tier still looks fine |

For deeper coverage of depeg monitoring, see the [Monitor Stablecoin Depeg Risk](/guides/stablecoin-depeg-monitoring) guide.

<Info>
  There is no `stale` or `generated_at` field on the v3 detail endpoints, use `metadata.last_scored_at` to judge freshness, and fail closed per the [hard-gating rules](/api-reference/introduction#hard-gating-and-fail-behavior) if it's older than your policy allows.
</Info>

***

## Complete Due Diligence Workflow

Here's how the full playbook fits together, from a new asset landing on your desk to an allocate/review/reject decision.

```mermaid theme={null}
flowchart TD
    A[New Asset Proposed] --> B["Step 1: Contract + Deployer Scan"]
    B -->|Deployer/contract flagged high| R1[REJECT]
    B -->|Clear or minor flags| C["Step 2: Address Threat Check"]
    C -->|overallRisk high| R2[REJECT]
    C -->|Clear or moderate| D["Step 3: Market + Liquidity"]
    D -->|Thin/unlocked liquidity| RV1[REVIEW]
    D -->|Healthy liquidity| E{Asset Type?}
    E -->|Plain token| ALLOCATE[ALLOCATE]
    E -->|Vault| G["Step 4: GET /v3/vaults"]
    E -->|Stablecoin / RWA| H["Step 4: GET /rwa or /v3/rwa"]
    G --> I{Grade Acceptable?}
    H --> I
    I -->|Low grade / high score| RV2[REVIEW]
    I -->|Acceptable grade| ALLOCATE
```

### Implementation Example

<Accordion title="Full TypeScript Implementation">
  ```typescript theme={null}
  const API_BASE = 'https://api.webacy.com';
  const headers = { 'x-api-key': process.env.WEBACY_API_KEY! };

  async function runDueDiligence(candidateAddress: string, chain: string, assetType: 'token' | 'vault' | 'stable' | 'rwa') {
    const decision: { action: 'ALLOCATE' | 'REVIEW' | 'REJECT'; reasons: string[] } = {
      action: 'ALLOCATE',
      reasons: [],
    };

    // Step 1: Contract + deployer scan
    const contract = await fetch(
      `${API_BASE}/contracts/${candidateAddress}?chain=${chain}&deployer_risk=true`,
      { headers }
    ).then(r => r.json());

    if (contract.deployer?.risk?.overallRisk >= 80) {
      return { action: 'REJECT', reasons: ['Deployer risk critical'] };
    }
    if (contract.deployer?.risk?.overallRisk >= 50) {
      decision.action = 'REVIEW';
      decision.reasons.push(`Deployer risk elevated (${contract.deployer.risk.overallRisk})`);
    }

    // Step 2: Address threat check
    const threat = await fetch(
      `${API_BASE}/addresses/${candidateAddress}?chain=${chain}`,
      { headers }
    ).then(r => r.json());

    if (threat.overallRisk >= 80) {
      return { action: 'REJECT', reasons: ['Address threat risk critical'] };
    }
    if (threat.overallRisk >= 50) {
      decision.action = 'REVIEW';
      decision.reasons.push(`Threat risk elevated (${threat.overallRisk})`);
    }

    // Step 3: Market + liquidity (skip for pure vault/RWA ratings if not pool-listed)
    if (assetType === 'token') {
      const { pools } = await fetch(
        `${API_BASE}/tokens/${candidateAddress}/pools?chain=${chain}`,
        { headers }
      ).then(r => r.json());

      const bestPool = pools?.[0];
      if (!bestPool || bestPool.reserve < 50_000 || bestPool.lockedLiquidityPercent < 50) {
        decision.action = 'REVIEW';
        decision.reasons.push('Thin or unlocked liquidity');
      }
    }

    // Step 4: Graded rating for vaults, stablecoins, RWAs
    if (assetType === 'vault' || assetType === 'rwa') {
      const path = assetType === 'vault' ? 'v3/vaults' : 'v3/rwa';
      const rating = await fetch(
        `${API_BASE}/${path}/${candidateAddress}?chain=${chain}`,
        { headers }
      ).then(r => r.json());

      // composite.score: 0-100, higher = more risk
      if (rating.composite.score >= 70) {
        decision.action = 'REVIEW';
        decision.reasons.push(`Low graded rating: ${rating.composite.grade} (score ${rating.composite.score})`);
      }
    }

    if (assetType === 'stable') {
      const peg = await fetch(
        `${API_BASE}/rwa/${candidateAddress}?chain=${chain}&hours=24`,
        { headers }
      ).then(r => r.json());

      if (peg.snapshot.tier === 'critical' || peg.snapshot.tier === 'warning') {
        decision.action = 'REVIEW';
        decision.reasons.push(`Depeg tier: ${peg.snapshot.tier}`);
      }
    }

    return decision;
  }

  // Example: evaluate WBTC as a token listing candidate
  const result = await runDueDiligence(
    '0x2260FAC5E5542a773Aa44fBCfeDf7C193bc2C599',
    'eth',
    'token'
  );
  console.log(result);
  ```
</Accordion>

***

## Example Addresses for Testing

| Address                                      | Chain | Asset type        |
| -------------------------------------------- | ----- | ----------------- |
| `0x0deFfd509197aAD5207d2A55862835b467E8128F` | eth   | ERC-4626 vault    |
| `0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48` | eth   | Stablecoin (USDC) |
| `0xdAC17F958D2ee523a2206206994597C13D831ec7` | eth   | Stablecoin (USDT) |
| `0x6B175474E89094C44Da98b954EedeAC495271d0F` | eth   | Stablecoin (DAI)  |
| `0x2260FAC5E5542a773Aa44fBCfeDf7C193bc2C599` | eth   | Token (WBTC)      |

***

## API Quick Reference

| Endpoint                                                            | Use Case                                    |
| ------------------------------------------------------------------- | ------------------------------------------- |
| `GET /contracts/{contractAddress}?chain={chain}&deployer_risk=true` | Contract + deployer risk scan               |
| `GET /addresses/{address}?chain={chain}`                            | Address threat assessment                   |
| `GET /tokens/{tokenAddress}/pools?chain={chain}`                    | Token market and liquidity breakdown        |
| `GET /v3/vaults/{address}?chain={chain}`                            | Graded vault rating (composite grade/score) |
| `GET /v3/rwa/{address}?chain={chain}`                               | Graded RWA rating (composite grade/score)   |
| `GET /rwa/{address}?chain={chain}&hours={n}`                        | Stablecoin/pegged token depeg detail        |

**Authentication:**

```text theme={null}
Header: x-api-key: YOUR_API_KEY
Base URL: https://api.webacy.com
```

***

## Ready to Ship?

1. **Get your API key**: Takes 2 minutes
2. **Run the workflow against the example addresses**: Confirm each step returns the fields your policy needs
3. **Wire the decision function into your listing or allocation pipeline**: Fail closed on missing or stale data

## Next Steps

<CardGroup cols={2}>
  <Card title="Ongoing Risk Monitoring" icon="gauge-high" href="/guides/ongoing-risk-monitoring">
    Keep watching an asset after you've allocated to it
  </Card>

  <Card title="Contract Risk API" icon="file-shield" href="/api-reference/contract-risk/get-a-real-time-analysis-for-a-given-contract-address">
    Full reference for the contract and deployer risk scan
  </Card>

  <Card title="Vault Risk (V3) API" icon="vault" href="/api-reference/vault-risk-v3/get-vault-risk-detail-v3">
    Full reference for the graded vault rating
  </Card>

  <Card title="Depeg Monitor API" icon="chart-line" href="/api-reference/depeg-monitor/get-depeg-risk-detail-for-a-pegged-token">
    Full reference for stablecoin and RWA depeg detail
  </Card>
</CardGroup>
