Recently looking at the project “trustworthy or not,” I actually check GitHub and the audit reports first instead—no pretending to know it all; I just want to see whether they really finished the work seriously. To put it simply, even beginners shouldn’t force themselves to chew through the code. There are many tutorials. I usually only look at the kind that teaches you to watch the update frequency, who is submitting PRs, and how issues are answered—at least you can tell whether the team is made up of real people.

Don’t treat audit reports as an “immunity card” either. Focus on three things: whether risks are clearly listed, whether there’s a side-by-side comparison of “fixed/unfixed,” and whether the audit institution is just stamping approvals without saying a word. The most important part is upgrading multi-signature wallets: who the signers are, how many keys can change the rules, and whether there’s a timelock (the kind that gives you time to react). Otherwise, today they talk about decentralization, and tomorrow a multi-sig will make a decision on a whim—by then, you won’t even have time to start a fight.

It also makes me think about the recent NFT royalty disputes—creators want income, the market wants liquidity… but if the contract can still be upgraded at any time and the allocation can be changed, then arguing about it for so long feels pretty hollow. Anyway, when I look at projects now, I first check “who can make changes,” and whether someone notifies me before those changes. That’s it for now.