Distributed applications (DApps) are coming to Cardano. The excitement is palpable. Yet, as the ecosystem steps up a gear, the excitement about this new stage in our journey needs to be tempered with some caution.

Cardano is an open, permissionless blockchain. So there is no central company, or other body, exerting ownership and, with it, responsibility. Anyone can build on this platform and engage the community. This is one of its superpowers. Yet because anyone can build DApps, users need to be judicious. As the saying goes, ‘Do your own research’.

Researching means more than scrolling through search results or watching your favorite YouTuber talk about moonshots or chart patterns. By doing your own due diligence and taking your signal from the right community voices (amid the noise), you can give yourself the best chance of navigating the emergent landscape successfully. And with it, play your part in helping grow a safe, secure, and healthy ecosystem.

Some cautionary tales

Bad things have already happened on other chains.

• On December 3, 2021, Cryptocurrency News reported that 120m US dollars were lost in the Badger DAO hack.
• On November 30, 2021, Crypto Briefing reported that users lost 31m US dollars on Ethereum and Polygon.
• On November 19, 2021, CNBC reported that, according to Elliptic, over 10bn US dollars had been lost to scams and thefts so far in 2021. You can download the original report from Elliptic.
• On November 3, 2021, The India Bureau of Business Insider reported that 1.4bn US dollars had been lost in DeFi hacks, with about half recovered.
• Fraud also occurs in the UK. On October 18, 2021, Coindesk reported that, according to the City of London Police, over 146m pounds had been lost to fraud in the first ten months of 2021.

And finally, the SolanaBankBox project sounded good - until it wasn’t.

Now, publishing this list here isn’t meant to throw shade or proclaim superiority. There is no room for hubris here. Real people have lost real assets. Rather than look at these incidents with hubris and “It couldn’t happen to me,” we should take a position of empathy and take these hard lessons on board. Because we will have issues on Cardano, however much rigor has gone into the core platform. But together as a community, we must seek to minimize the chance and the severity when it does happen to us.

We have worked extremely hard at a core platform level on security. The core Cardano platform has been built to the most exacting standards. Cardano’s design is based on peer-reviewed academic research. Then, using formal methods, we create high-assurance software. The result is that Cardano provides a resilient, scalable platform. We add a full set of development and testing tools, including a testnet, to the platform. As part of our toolset, we support programming languages that suit formal verification by skilled software engineers.

Meanwhile, our education and support programs enhance the skills of the whole community. Wherever we speak to new Cardano DApp developers – and we have spoken to dozens already – we are strongly recommending that they commission an independent external audit for every DApp they create. As we advance, the new Plutus dAppStore will have three levels of certification available for DApps that choose to take advantage of it. Certification will be highly recommended, but it will never be mandated on a decentralized platform.

However, decentralization doesn’t mean we should accept a ‘wild west’ environment. Even with the noblest intentions, some DApps will include design flaws, have bugs, or be poorly supported by inexperienced devs. These issues could leave low-quality DApps more open to being hacked. There will even be DApps that are outright scams or rug pulls. Sadly this is inevitable at some point. And of course, our detractors will seize on these issues and seek to amplify them to damage our community.

It is the responsibility of each DApp developer to ensure that their application produces the correct results. Meanwhile, every responsible member of the community should do their own research and help educate others. In the end, it is up to individual users to protect themselves from bad actors. So be curious, even skeptical. Ask questions. Accept nothing at face value. Equally, be cautious in calling out scams - with so much FUD about, you should not add to the noise without due deliberation. And many of us will remember this cautionary tale from our childhoods…

So here are some tips, curated with the support of the Cardano community.

A fact checklist

Who are the developers?

Developers proud of their product will be easy to contact and responsive to questions. There should be a project website. Anonymity or pseudonymity is relatively common in crypto, but it is important to know the developer can be traced if money is involved. It is much easier for anonymous developers to disappear with your funds. Even if fully doxxed, is this the developer’s first project? Devs or code shops with a reputation have more to lose, while inexperienced developers are more likely to make mistakes or take shortcuts, especially if there is a rush to launch.

What is the project’s vision?

Do your best to ensure that the project’s values and actions align with your values. Look at decentralization, idealism, passion, and purpose.

FOMO is your enemy

If it’s a great application now, it will be a great application next week and next month. If the developer plays on your fear of missing out, that is a big red flag. Due diligence takes time. Be diligent.

Is it really, really good?

The old saying applies. If it’s too good to be true, it probably is. If the project offers higher than normal staking rewards, you need to be hyper-vigilant and very thorough in your investigation.

Celebrity endorsements

Endorsements can be bought, and they are often an essential ingredient of a pump and dump or rug pull. By design, retail investors first discover a dump or rug pull when their basket of tokens is suddenly worthless. Don’t put your trust in YouTubers, but take note of YouTubers you trust.

Is the product open source?

Not all trustworthy DApps need to be open source. However, if the product claims to be open source, you should check the claim. For example, the GitHub repository should be accessible and active. The names of people on GitHub should match at least some of the people on the project website.

Project documentation

There may be a white paper, lite paper, or other design documentation.

Perform a thorough fact check: check sources, investigate authors, ensure content is authentic and not plagiarized. Evidence of poor proofreading, missing content, or broken links in references should all raise concerns. If the white paper is on a ‘pay to publish’ site, you should take that into consideration.

Token distribution

If the project has an associated token, use a chain analysis tool to check for a concentration of token ownership. For example, it would raise concern if most of the project's tokens were allocated to a handful of wallets.

Is it a new project, or is it ported from another chain?

Check its reputation in its past life, if it had one. It still takes good developers to take full advantage of the Cardano platform.

If it is a new project, how new is it? Do the participants have any history in the crypto space?

Is the developer engaged on social media?

Look for an active community of users and reviewers. Look to see how recently the entities associated with the project were created. Be suspicious of new accounts with only a few tweets. Check the number of followers, too. Tools like Sparktoro are another way you can check real v fake followers.

How much testing has been done?

We would expect a good project to have been active on the testnet – and offering commentary in social channels – before its mainnet launch. The ongoing activities from projects like SundaeSwap and Adahandle are good models here, promoting the testnet launch through social media to allow end-users to test and build their understanding. We look forward to supporting more over the coming weeks and months.

Has an external audit been conducted?

Look for a respected organization that is independent of the developer. See below for some useful organizations.

Review the product against your requirements

No matter how good the product, it must be right for you. If you are looking to earn extra ada rewards or trade, it remains forever true – never risk more than you can afford to lose.

Some useful organizations

External organizations can help you learn more about the developer of the DApp. Also, DApp developers can enlist external companies to help with the development process.

More information about developers

• Check the Binance Project Reports page. It aims to cover the top crypto-projects and provide unbiased information.
• The Messari site provides research reports for organizations or individuals.
• Crunchbase provides data about organizations and individuals. There is a free trial; otherwise, this is a paid service.
• PitchBook is a financial data and software company. There is a free trial option available here too.
• Search LinkedIn profiles of people and companies.
• Use BetterWhois or a similar registry to find out when a website was created and basic details of who is behind it.

Companies that help with DApp development

• QuviQ is a Swedish company that specializes in property-based testing.
• Runtime Verification performs security audits. They have done a lot of work with IO Global.
• Certik, founded in 2018 by Yale University and Columbia University academics, is a pioneer in blockchain security. Certik uses best-in-class AI technology to secure and monitor blockchain protocols and smart contracts.
• Tweag is a software innovation lab that helps technology start-ups improve their engineering performance and execute high-risk, high-reward projects. They will be familiar to many readers from their work with Cardano.
• Well-Typed is a specialist Haskell consultancy company. Again, they will be familiar to many readers for work on Cardano.

Community curation

None of these sites offer any endorsement or guarantee of quality, but they are a good place to start:

Essential Cardano - a simple GitHub repo managed by IOG and directed to community PRs. The site aims to be comprehensive, and inclusion doesn't mean endorsement, but this is a good list. During 2022 the goal is to build out this resource - in collaboration with the community – as a more holistic ecosystem resource.

Cardano Cube – a community site with a mission ‘to make information more accessible by providing an overview of all projects and dApps building on Cardano’.

Building On Cardano – ‘a place to view what’s happening within the Cardano ecosystem’ from Stake Pool Operators Shamrock Pool & Cardano With Paul.

We shall continue to drive for higher standards of audit and certification for Cardano throughout 2022. We hope that initiatives like our DApp store will help drive better practice in #DeFi and #RealFi across the whole industry. But this will only go so far. Despite several years of development (and many failures) on other chains, this is still relatively early days for the space as a whole. No developer is infallible, no audit can be omniscient, no platform impenetrable.

As our industry matures, so will risk. Meanwhile, above all else, it is up to the community to develop an immune system that can identify the most obvious issues and help the headlines focus on the successes rather than the setbacks.

The way forward

The Cardano community can be a shining example of how to achieve success and safety without external regulation. Project Catalyst provides funds for development on Cardano, and some community challenges specifically target security.

As intelligent, skeptical consumers, users must demand only the best DApps. Supporting great DApps will nourish a population of honest, trustworthy developers. Together, we will reach our goal of becoming a flourishing, self-governing community.

The information provided here does not constitute investment advice, financial advice, trading advice, or any other sort of advice, and you should not treat any of this blog’s content as such.

Inclusion here of projects does not constitute an endorsement, guarantee, warranty, or recommendation by Input Output. Do conduct your own due diligence and consult your financial advisor before making any investment decisions or relying on any third-party services.

Thanks to community members including Shweta Chauhan, Dan Gambardello, Jaromir Tessar, and Matti Winnetou for their contributions to this piece.

Imagine buying a bottle of super premium spirits. Scan it with an app on your phone, and you know for certain that it is a genuine product, never opened or tampered with, and every ingredient can be traced to its source. All this without needing to trust the retailer or anyone in the supply chain.

That’s authentication security, and it will soon be a reality for customers of Strait Brands, an Australian producer of international award-winning spirits since 2006.

At the Cardano Summit 2021, IOG's Dan Friedman talked with Philip Ridyard, Strait Brands founder and MD, about using Atala SCAN for blockchain-based supply chain accreditation. Based in the Tamar Valley in Tasmania, Strait Brands is partnering with Input Output to embed Atala SCAN into their production and distribution processes. Watch the full interview.

Philip’s experience exporting to Asian countries has shown him the prevalence of counterfeiting and substitution in those markets. In the alcohol industry alone, counterfeited, mislabeled, substituted, or diluted products worth upwards of $40 billion a year are making their way to consumers. After ten years of searching, Philip has found the ideal solution in the immutability and auditability of blockchain technology, and ideal partners in the people of Input Output like Dan Friedman.

As Philip says, ‘For the launch of a super premium brand, to have super premium authentication and traceability is absolutely paramount.’ This authentication allows Strait Brands to offer not only the taste and texture of the product but the whole intellectual package that makes up the value offering. That includes the geographical location of Strait Brands in Tasmania, the pristine spring water, the agreements with local growers, the responsibly sourced ingredients, and the custom bottles. There will be four million bottles with Atala-compatible stoppers produced locally and distributed worldwide.

This partnership is timed to coincide with the coming release of a super-premium range to be known as Badger Head. The name comes from Badger Head Road, where the distillery is located, and from the term used by the British to describe the local wombats. The packaging includes a wombat motif.

Strait Brands is even planning a special Cardano-themed limited edition matched with CNFTs. More details of this will be announced soon!

The Cardano ecosystem is committed to supporting and growing our developer community. A vibrant, informed community is essential to the development of a decentralized, functional ecosystem with a diverse user base. In line with our open-source approach, as we evolve Cardano together, everyone can benefit from its decentralized financial solutions while delivering best-in-class blockchain technology.

To reach our common goals, it is essential that everyone participates in the development process and can always get the information, guidance, and assistance they need.

To support this mission, we are encouraging development talent and experts from across the globe to gather in one place – Cardano Stack Exchange. This developer hub is the ideal place to share experiences, ask and answer questions about all the streams of Cardano development and operations, and share resources. This site – being driven by members of the Cardano community – is one of the resources to help you learn how to develop decentralized applications (DApps) and write smart contracts.

What is Stack Exchange?

Cardano Stack Exchange originated from Stack Overflow, the free community website for developers created by Jeff Atwood and Joel Spolsky in 2008. The name was chosen by a voting process in April 2008 by readers of Coding Horror, Atwood's popular programming blog. From this beginning, the movement has grown to host many specialized Stack Exchanges.

One of the newest is dedicated to Cardano developers. Currently in beta, it is a community-moderated question-and-answer site where all Cardano developers, including Plutus pioneers, can get expert answers to a variety of questions, ranging from installation queries to configuration and implementation details.

This community-driven, decentralized philosophy of Stack Overflow fits particularly well with the open-source, decentralized philosophy of Cardano.

How it works

If you are stuck on an issue in Cardano, or curious about an element of its technology, the Stack Exchange is a great resource. It serves more as a place for specific questions about real problems than a discussion site like the Cardano Forum. This format means that you can easily find the questions you are looking for without getting lost in long-winded discussion threads. Once you come on board, you will have the opportunity to search all previous questions and suggested resolutions.

Examples of questions currently being answered on the site include:

What happens to staked ada after transferring ada to another wallet?

What is the maximum number of addresses in a Cardano Wallet?

How to create a serialized transaction without a local full node?

Your question might have already been answered; in this case, you can see how many times it has worked for someone. On the other hand, if you have a new question, someone else will probably encounter the same issue, and your question and answer will be helpful for them.

Cardano developers and support staff regularly check the site and will provide answers where they can. You can check for new questions too, and maybe provide an answer for someone else. The community elects the moderators and upvotes questions and answers to show appreciation.

The more you use the site, the more valuable it becomes. Users gain reputation points by asking questions, upvoting questions and answers, and providing answers to fellow developers. Reputation points increase your overall score and earn you more site privileges. Many people find that explaining something to another developer is one of the best ways to deepen their own understanding. The best way to learn, as they say, is through teaching.

How to get involved

We’re very keen to establish and grow our Stack Exchange presence. The site is currently in beta and can only grow with community usage and support. This is where you come in. We’d like to encourage you to ask a question – or a bunch of them if you like!

The site is completely free to use. Just provide an email address, set your password, and you’re good to go!

When someone from the community answers your question, you can return the favor by helping your fellow developers with possible resolutions and suggestions to their questions. When you receive an answer that works for you, remember to accept and upvote it. Considering the search terms that others might use will help you write a good question.

With the site currently still in beta phase, it needs wider adoption and activity to progress to full production. We encourage you to log on, get involved, and help make the site a valuable resource for everyone in the community.

The Stack Exchange initiative is truly a Cardano community effort. So particular thanks to all the contributors working to drive this project forward.

I would like to acknowledge Neil Burgess for his contribution to this article.