What a Tokenomics Audit Covers: The Complete Checklist

A smart contract audit checks whether code executes correctly. A tokenomics audit checks whether the economic design works—whether the incentives, supply dynamics, and governance mechanisms produce the behavior the protocol needs under real-world conditions.

These are different questions. A protocol can have flawless code and broken economics. We've audited token economies where the contracts were clean and the incentive design was fundamentally broken—billions in TVL sitting on top of a value accrual mechanism that sent zero revenue to token holders.

Here's the framework we use across our audit engagements, broken into the six areas that matter.

Area 1: Supply Mechanics

Supply dynamics are where most of the critical findings come from.

Total supply and emission schedule. Is there a hard cap, and is it enforced at the contract level? What's the emission curve—linear, exponential decay, demand-based? We verify that the described schedule matches the implemented logic. The whitepaper and the smart contract disagree more often than you'd expect.

Inflation rate over time. We model effective inflation at 6 months, 1 year, 2 years, and 5 years. Above 15-20% annually in year one is a yellow flag. Sustained inflation above 10% beyond year two is red. We've analyzed networks running at 15-19% annual inflation—8-9x what's sustainable—with emission outpacing consumption by nearly 2:1. Price decline in that scenario isn't cyclical, it's structural.

Mint and burn mechanisms. Can new tokens be minted beyond the stated schedule? Who controls the mint function? Is there a burn mechanism, and does it meaningfully offset emission? We trace every path through which supply can increase or decrease. In one audit, we found 99.5% of protocol fees were actually penalties rather than value capture—the burn mechanism existed on paper but wasn't functioning as designed.

Supply concentration. We calculate the Gini coefficient of token distribution at launch and project it forward through vesting unlocks. Top 10 wallets holding >50% creates governance risk and coordinated sell pressure risk.

Red flags here include admin-controlled mint functions with no cap or timelock, emission releasing >50% of supply in the first year, no mechanism linking emission to usage, and supply mechanics in the whitepaper that don't match the smart contracts.

Area 2: Distribution and Vesting

Distribution determines who benefits and who bears dilution.

Allocation fairness. We evaluate insider allocation against market benchmarks. Team + investors above 40% is a yellow flag. We also check whether community allocation is genuinely accessible or gated behind conditions that effectively limit it to insiders.

Vesting schedule design. Cliff and vesting periods appropriate for each stakeholder class? We check for coordinated cliff dates (multiple cohorts unlocking simultaneously), oversized TGE unlocks, and missing departure provisions. We've seen 50%+ price drops when 12-month cliffs expired during bear markets.

Unlock impact modeling. We simulate combined emission + vesting unlocks on circulating supply month by month. This surfaces periods of concentrated supply expansion. One protocol we analyzed had annual bulk unlocks that increased circulating supply 40-60% overnight. Price declined 60-70% in the weeks following each event. Predictable, avoidable, but nobody had modeled it in advance.

Airdrop and retroactive distribution. For retroactive distributions, we evaluate Sybil resistance, whether the distribution is top-heavy, and expected sell pressure from recipients.

What gets flagged: Coordinated cliff dates creating a single large unlock event, TGE unlock >15% of total supply, no vesting for advisory or strategic allocations, or insider vesting shorter than 2 years.

Area 3: Incentive Sustainability

The core question: will the incentive mechanisms continue to attract the behavior the protocol needs as emission tapers and market conditions change?

Staking economics. We model staking yield over time as emission decreases and total stake increases. If projected yield falls below comparable risk-adjusted returns within 2-3 years, rational capital leaves. We've seen this create death spirals in DePIN networks—staking participation drops, security decreases, confidence falls, more participants exit. We assess whether the protocol can sustain required security at realistic yield levels.

Liquidity incentive dependency. What happens when liquidity mining rewards end? Protocols routinely lose 60-80% of TVL within weeks of incentive expiration. We evaluate whether the protocol generates sufficient organic fee revenue to retain liquidity without subsidy.

Value accrual mechanism. Does the token capture value from protocol usage? A governance token over a fee-generating protocol has fundamental value. A token that grants "access" to a service that works without it has weak accrual. We've audited protocols generating $96M+ in annualized revenue where zero flowed to token holders. The business was strong; the token was decorative. That distinction matters—protocol revenue and token value are not the same thing, and investors who conflate them get burned.

Incentive extractability. Can participants earn rewards without providing the intended service? Wash trading to farm fee-based rewards, Sybil attacks on airdrop criteria, staking derivatives that earn yield without economic commitment, liquidity strategies that extract rewards while providing minimal useful liquidity.

Common red flags:

• Protocol relies on >80% of value from incentive programs rather than organic fees
• No clear path from "subsidized growth" to "sustainable revenue"
• Staking yield depends on token price appreciation to remain competitive
• Incentive mechanisms exploitable through Sybil attacks or wash trading

Area 4: Governance Security

Governance is an attack surface, and we evaluate it with the same rigor as the economic mechanisms.

Governance attack cost. What does it cost to acquire 51% of voting power? We calculate this from current liquidity, voting participation rates, and vote-locking mechanisms. If a governance attack costs less than the value it could extract—say, draining a treasury or modifying parameters to benefit an attacker—the protocol is economically insecure.

Voting power concentration. We analyze voting power distribution across delegates and direct voters. We've audited protocols where two foundation accounts held 85%+ of voting power. External holders collectively owning 100% of circulating supply still couldn't outvote insiders. "Decentralized governance" with that distribution is theater.

Timelock and guardian mechanisms. Are governance actions subject to timelocks? Are there guardian roles that can veto malicious proposals? We evaluate whether safety mechanisms are sufficient for the value at risk.

Parameter sensitivity. Which governance-adjustable parameters, if set to extreme values, break the protocol? We identify the most dangerous parameters and check for appropriate bounds.

Red flags:

• Governance attack cost < 10% of treasury value
• No timelock on critical parameter changes
• Fewer than 5 entities can form a voting majority
• Emergency functions accessible by multisig with <5 signers

Area 5: Market Dynamics

How the token interacts with external markets affects protocol stability.

Liquidity depth. Is DEX and CEX liquidity sufficient for the token's role? If the token is collateral in lending markets, thin liquidity triggers liquidation cascades during price drops.

Correlation risk. If token value is heavily correlated with a single asset (typically ETH), protocol economics inherit that volatility. We evaluate whether this is managed or creates hidden risk.

Oracle dependency. Protocols that use token price in incentive calculations introduce oracle risk. We assess whether oracle manipulation could break incentive mechanisms.

Composability risk. How is the token used in other protocols? Significant supply locked in lending markets, yield aggregators, or liquid staking derivatives creates systemic dependencies. A bug in any integrated protocol can cascade.

We flag tokens used as major collateral without adequate liquidity depth, incentive calculations dependent on a single oracle source, >30% of circulating supply locked in a single external protocol, or protocols with no circuit breakers for extreme market conditions.

Area 6: Regulatory Exposure

Increasingly relevant, especially for protocols with token sales or revenue distribution.

Securities classification risk. We evaluate the token against established frameworks (Howey test, MiCA classification) for regulatory exposure. Revenue-sharing mechanisms, buyback programs, and profit-distribution features increase classification risk.

Geographic restrictions. Does the distribution or governance mechanism require compliance with specific jurisdictions? Are restricted persons adequately screened?

Disclosure adequacy. Are tokenomics documents sufficient for the regulatory regimes the protocol operates in? MiCA requires specific disclosures for certain token classifications—many projects we've reviewed were non-compliant on documentation alone.

Revenue-sharing that resembles dividend distribution, governance tokens with explicit profit-sharing, missing geographic restrictions, and outdated whitepaper disclosures all get flagged here.

The Audit Output

Our audits produce a structured report with findings categorized by severity:

Critical: Protocol failure, major value loss, or regulatory enforcement risk. Requires action before launch. Example: governance attack cost below treasury value.

High: Significantly increased risk or limited sustainability. Should be addressed before launch. Example: emission schedule depleting incentive budget before projected break-even.

Medium: Suboptimal outcomes or increased complexity. Address in the roadmap. Example: coordinated vesting cliff dates creating predictable sell pressure events.

Informational: Observations and optimization suggestions. Example: governance participation could improve with vote delegation.

Each finding includes the specific issue, the risk it creates, and a concrete recommendation. The goal isn't a pass/fail grade—it's a clear picture of where the risks are and what to do about them.

When to Get an Audit

Before TGE is ideal. Audit costs are a fraction of the cost of fixing broken tokenomics post-launch, when parameters are often immutable and community expectations are set.

Post-launch, audits are valuable when considering major parameter changes, adding incentive mechanisms, or evaluating governance proposals that modify economic parameters.

During fundraising, sophisticated investors increasingly require independent tokenomics audits alongside smart contract audits. A third-party economic review strengthens your credibility with capital that's seen too many projects with good code and bad economics.

What an Audit Won't Tell You

A tokenomics audit evaluates design, not execution. It won't predict whether the team will ship, whether timing is right, or whether the protocol achieves product-market fit.

What it does tell you is whether the economic design holds together under adversarial conditions—whether the incentives, supply mechanics, and governance are robust enough to give the protocol room to find product-market fit.

---

Interested in a tokenomics audit? Our audit services cover the full framework above—supply mechanics through regulatory assessment. Contact us to scope your engagement.