Crypto Research

How to Check if a Pool Is Safe

Evaluating a liquidity pool for safety means checking four distinct failure modes: exploitable contract code, admin key risk, compromised token contracts, and thin liquidity enabling manipulation. This post maps each risk and the on-chain checks that address them.
Lewis Jackson
CEO and Founder

The question “is this pool safe?” sounds simple. It’s not — because “safe” covers at least four different failure scenarios, and most people check for only one of them.

The typical approach: is the pool on a reputable protocol? If yes, proceed. That’s a starting point, not a conclusion. The pool contract might be fine while the underlying tokens are compromised. Or the platform is legitimate but this specific pool was deployed yesterday by a team controlling the fee address. Evaluating a liquidity pool means understanding which failure modes exist and which apply to the pool you’re looking at.

The Four Failure Modes

When you deposit assets into a liquidity pool, you’re placing funds into a smart contract. That contract holds everything you deposited. There’s no insurance, no intermediary, and no pause button in most cases — if something goes wrong with the contract, your funds go with it.

The contract itself is exploitable. Smart contract vulnerabilities allow attackers to drain pool funds through carefully constructed transactions. The Curve Finance exploit in 2023 came from a reentrancy bug in older versions of Vyper, the compiler language underlying some Curve pools — not from flawed protocol logic, but from a flaw in the language itself. Reputable audits reduce this risk substantially but don’t eliminate it, because audits check the code as written, not the compiler that translates it.

Admin functions create trust dependencies. Some pool contracts include functions that let an owner address withdraw funds, change fee structures, or migrate assets. These exist for legitimate reasons — emergency pauses, protocol upgrades — but they create risk if held by a single wallet. Protocols address this with multisig wallets (multiple parties must approve any action) and timelocks (changes require a waiting period before taking effect, giving users time to exit first). If neither exists, you’re trusting whoever holds the owner key.

The token is the actual attack surface. This is where most pools-related losses actually happen. A pool can be deployed on a legitimate, audited protocol, but if one token in the pair has an admin minting function, an attacker can create unlimited tokens, dump them into the pool, and drain the other side. The pool contract was never touched. The rug happened at the token level.

Thin liquidity enables manipulation. Pools with low TVL are susceptible to price manipulation through large trades. This matters most when a pool is used as a price oracle by another protocol — if someone can spike or crash the pool price within a single transaction, they can manipulate downstream collateral valuations or trigger liquidations artificially. The lower the liquidity, the cheaper this attack becomes.

Running the Checks

Confirm the contract address directly. Start on the protocol’s official UI, not a link from Discord or Telegram. Get the pool contract address there, then verify it on the relevant block explorer. Copy-pasting addresses from social media is a reliable way to end up in a phishing pool — addresses that look identical but redirect funds to an attacker.

Check the audit. Go to DeFiLlama’s protocol page or the protocol’s documentation and find the audit reports. Which firm conducted it? Trail of Bits, OpenZeppelin, Spearbit, Certora, and Pashov are considered rigorous; unknown or promotional-sounding firms are not useful signal. When was it done? Was the code modified afterward? Post-audit changes can reintroduce exactly the vulnerabilities the audit identified.

Look at the ownership structure. On the block explorer, find the pool contract and check whether it has an owner or admin function. If the owner address is a standard wallet rather than a multisig, that’s a meaningful risk concentration. Look for whether ownership has been renounced entirely (no owner = no admin access, but also no ability to pause in an emergency). Check whether there’s a timelock contract — most protocol governance pages or deployment documentation will describe this.

Verify both tokens separately. This is the step people skip. Even on a well-known DEX, the pool is only as safe as its worst token. Apply the same checks you’d use for any token: find the official contract address from the token’s own documentation, look for privileged mint or burn functions, check the deployer wallet’s history, and confirm whether the audit covers the token contract — not just the protocol.

Check liquidity depth and history. A pool that appeared two days ago with $40K in TVL is a meaningfully different risk profile from the same token pair with two years of operation and $50M. Longevity matters because every day without incident is weak evidence of robustness. TVL trajectory matters too — look at it on DeFiLlama. Sustained growth or gradual decline is normal; a spike followed by rapid drain often signals insiders exiting before a rug.

What’s Changing

The check process itself is stable. What’s evolving is the tooling. DeFiLlama’s audit tracking, De.fi’s security scoring, and platforms like Tenderly now allow automated alerts on TVL drops and admin key activity. These reduce the time cost of checks but don’t replace understanding what you’re checking for — a tool that summarizes risk still requires you to know what the risk categories mean.

Confirmation signals: Protocol deployed by a known team, audited by a recognized firm within the last 12 months, admin access behind a multisig with a timelock, both tokens verified with clean deployer histories, substantial TVL with a multi-year track record.

Invalidation: Admin key is a single wallet with no timelock, contract was modified after the audit, one token in the pair has unresolved mint authority, pool is newly launched with thin liquidity relative to your intended position size.

Timing:

  • Now: Confirm the pool contract address from the official protocol UI and check ownership structure before depositing anything.
  • Next: On-chain security tooling is consolidating — check whether your analytics platform of choice has added security scoring or alert features.
  • Later: Account abstraction and smart wallet infrastructure may allow more granular permission controls on which contracts your wallet can interact with.

Boundary

This covers the primary on-chain checks for evaluating a liquidity pool. It doesn’t address smart contract insurance products (Nexus Mutual, Sherlock), which are a separate layer of risk management and worth understanding on their own. It also doesn’t address impermanent loss — that’s an economic risk distinct from the security risks described here. Pool safety and pool profitability are separate questions.

A pool that passes all these checks isn’t guaranteed safe. But skipping them means you don’t know which risk you’re accepting.

Related Posts

See All
Crypto Research
New XRP-Focused Research Defining the “Velocity Threshold” for Global Settlement and Liquidity
A lot of people looking at my recent research have asked the same question: “Surely Ripple already understands all of this. So what does that mean for XRP?” That question is completely valid — and it turns out it’s the right question to ask. This research breaks down why XRP is unlikely to be the internal settlement asset of CBDC shared ledgers or unified bank platforms, and why that doesn’t mean XRP is irrelevant. Instead, it explains where XRP realistically fits in the system banks are actually building: at the seams, where different rulebooks, platforms, and networks still need to connect. Using liquidity math, system design, and real-world settlement mechanics, this piece explains: why most value settles inside venues, not through bridges why XRP’s role is narrower but more precise than most narratives suggest how velocity (refresh interval) determines whether XRP creates scarcity or just throughput and why Ripple’s strategy makes more sense once you stop assuming XRP must be “the core of everything” This isn’t a bullish or bearish take — it’s a structural one. If you want to understand XRP beyond hype and price targets, this is the question you need to grapple with.
Read Now
Crypto Research
The Jackson Liquidity Framework - Announcement
Lewis Jackson Ventures announces the release of the Jackson Liquidity Framework — the first quantitative, regulator-aligned model for liquidity sizing in AMM-based settlement systems, CBDC corridors, and tokenised financial infrastructures. Developed using advanced stochastic simulations and grounded in Basel III and PFMI principles, the framework provides a missing methodology for determining how much liquidity prefunded AMM pools actually require under real-world flow conditions.
Read Now
Crypto Research
Banks, Stablecoins, and Tokenized Assets
In Episode 011 of The Macro, crypto analyst Lewis Jackson unpacks a pivotal week in global finance — one marked by record growth in tokenized assets, expanding stablecoin adoption across emerging markets, and major institutions deepening their blockchain commitments. This research brief summarises Jackson’s key findings, from tokenized deposits to institutional RWA chains and AI-driven compliance, and explains how these developments signal a maturing, multi-rail settlement architecture spanning Ethereum, XRPL, stablecoin networks, and new interoperability layers.Taken together, this episode marks a structural shift toward programmable finance, instant settlement, and tokenized real-world assets at global scale.
Read Now

Related Posts

See All
No items found.
Lewsletter

Weekly notes on what I’m seeing

A personal letter I send straight to your inbox —reflections on crypto, wealth, time and life.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.