Cryptoasset Investing is Risky Business

Properly Assessing and Managing these Risks is Critical to Your Success

Five components of Risk Management:

  • Code Audit
  • Anti Fragile — gets stronger when stressed
  • Low funding risk (fiat)
  • Attack Risk
  • Regulatory

“An idea survives if it is a good risk manager, that is, not only doesn’t harm its holders, but favors their survival… More technically, it needs to be convex and reduce fragility somewhere.” — Nicholas Nassim Taleb

Replace idea with coin and you have the fundamental premise of assessing a cryptoassets risks.

“A coin survives if it is a good risk manager, that is, not only doesn’t harm its holders, but favors their survival… More technically, it needs to be convex and reduce fragility somewhere.”

Bitcoin demonstrates this concept well. It’s been attacked both technically and psychologically. Withstanding these attacks has increased its robustness to future attacks improving its chances for survival.

You’re looking for the same characteristics when evaluating other cryptoassets. When a fork is brewing and the community is at each other’s throats. Can the project withstand and absorb this pressure coming out the other side better for it?

Speed and complexity are the enemies. Projects doing complicated things rapidly need to compromise on something, typically security, making them vulnerable to volatility.

Given the up and down nature of crypto markets, you want to be long volatility not short it. Your knowledge of a project and the landscape it’s competing in will always be incomplete. What you don’t know will always exceed what you do. The question is as surprises come up will they tend to be to the projects benefit or at least minimally harmful.

Code Audit

One step projects can take to improve their anti-fragility is undergoing a code audit. Code audits review a project’s code base for vulnerabilities before they can be identified and exploited by malicious actors. Projects with verified code audits have reduced the technical risk to you as an investor making them more attractive investments.

Scan Twitter and Reddit too, verify the projects technical claims stand up to other investors’ scrutiny. Use the coin name/ticker and #hashtag for Twitter.

No code audit. Make sure you review an independent technical analysis by trusted third parties.

You need to determine the potential for fraud by the core team before investing. The code for many cryptoassets has been discovered to include backdoors allowing for a variety of malfeasance. Make sure you are comfortable this is not the case for a cryptoasset before including it in your portfolio.

Low Funding Risk

Creating a robust code base requires the ability to attract technical talent. Most of this talent still seek out payment in fiat. Making projects better off holding their treasuries in fiat versus holding the asset used to raise funds such as Bitcoin or Ethereum.

Note — This is applicable to funds raised for project development via ICOs etc… You do not want the project team selling off their personal tokens as this misaligns their incentives with yours as an investor and should be considered a red flag.

You are looking to assemble a portfolio of cryptoassets with independent sources of return. The diversification benefits from a project with treasury holdings of a large quantity of another cryptoasset is minimal.

Dappcapitulation provides a starting point for this type of information on ERC-20 projects although it is often incomplete requiring independent research to fully vet how a project is funding itself.


This information can often be hard to track down. If you are finding it challenging to obtain via research get active on the message boards and apps to see what others have to say. Don’t hesitate to reach out to project teams directly. Although you’ll want to independently confirm anything they do tell you.

Attack Risk

For proof of work tokens Attack cost per day reflects the amount it would take to acquire the hash power required to initiate a 51% attack against a network. OnchainFX provides this for a variety of assets. In instances where it isn’t available via Onchain you can usually track it down via google search or investigation of the project sub reddit.

The higher the better. You will also want to evaluate the ratio of its current market cap to the attack cost. Larger projects will typically have higher attacks costs because they are more attractive targets.

On a relative basis if a large project has a low attack cost as a percentage of its market cap. It is more vulnerable than a small project with a lower absolute attack cost that is a higher percentage of its market cap.

I look for a ratio higher than 0.01% because this is around the typical cost of attacking Bitcoin which has the longest most secure track record.


Attack Cost Per Day / Market Cap > 0.01%

For non proof of work tokens you will need to do a more qualitative assessment of attack risk. For staking tokens top wallet holders are a good place to start. If a small percentage of wallets control the majority of supply. They could form an oligarchy to control the project via coordinated votes that may or may not be in the best interest of all users.

Regulatory Risk

The regulatory risks around cryptoassets are continually evolving. In aggregate it is reasonable to expect a higher impact to cryptoasset investments from regulation moving forward than in the past. Some projects seem to even welcome regulations as they think their establishment will give them a competitive advantage.

The primary risk to most projects at this point is being deemed a security. Recent informal communication from the SEC indicated Ethereum was probably a security initially but has decentralized enough since issuance to no longer be one. So highly decentralized projects seemingly have less regulatory risk.

In some instances, projects are returning investor funds versus proceeding because of their concern they could be deemed a security.

There are other risks beyond just issuance practices however. Governments sometimes crack down on activities like mining and exchanges. Cryptoassets heavily dependent on Chinese mining for security and Chinese exchanges for liquidity suddenly faced operational challenges when the government put into place regulations restricting these activities.

Given even law professionals struggle with assessing the regulatory risks of cryptoassets because of their newness and uncertainty around how governments will proceed. Wrapping your head around regulatory impact is challenging.

Some things to consider:

Founder Posturing — Some founders love to parrot their anti-regulation perspective for marketing purposes. If you say it loud, proud, and repeatedly how the rules don’t apply to you. The rule makers will subject you to additional scrutiny.

Functionality — If the product is seeking to provide an alternative to a currently regulated option. It will generally be subject to additional scrutiny because of its comparability. Decentralized Exchanges structured themselves in a way they thought would exempt them from the regulatory framework their centralized peers needed to adhere to and in certain instances, this has proven true. Recently though, some DEX operators have been subject to regulatory actions because they were deemed to exhibit properties bringing them within the jurisdiction of regulators, most commonly in the US.

Technology — While generally hostile towards regulations with intent, some projects have deployed technology elegantly enough to minimize the consequences of this hostility. Privacy coins are an example of this. While their intent is to help anonymize transactions circumventing regulatory structures surveilling payments. They execute these intentions within the bounds of the law by articulating use cases outside of just money laundering.

Language — In the privacy space, Monero versus Zcash in how they talk about regulations provides an interesting contrast. Zcash goes out of its way to talk about all of the advantages of private transactions without touching much on how it could potentially be used in ways regulators disapprove of. Whereas Monero communications highlight their belief the regulations are illegitimate and users have the right to privacy. This gap means regulators would most likely focus scrutiny on Monero versus Zcash.

Potential regulatory impact is one of the trickiest things to evaluate as a cryptoasset investor. At least try to get a feel for it so you aren’t surprised negatively down the road as many unregulated things today will likely not remain that way tomorrow.


Thanks for Reading

Sign up for my newsletter to stay up to date on my latest cryptoasset research!




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Steven L. Miller

Steven L. Miller


Helping investors hack through the weeds to find the crypto gems at Musings at