CDA: Token verification in the Cardano Ecosystem

This article is for you if either

- you plan to buy tokens on a Decentralized Exchange

- you are planning to launch a new token

- you are building a Decentralized Exchange or an interface to one

There are plenty of Cardano native tokens in the Cardano Ecosystem (there are great descriptions on how to mint one by the Cardano Foundation.) This is great to see, as with them, promising new projects rise and present new and exciting concepts.

Together with the tokens, we have seen decentralized exchanges launching. MuesliSwap, SundaeSwap, and MinSwap are now all offering simple trading opportunities to their users.

Now there is an important question for users that want to buy tokens — we know DYOR, etc., but how? And what sources are reliable sources for the authenticity of a token? How do I as a token creator make sure that users can verify my token? And how do I as a DEX provide the best and most useful information to users?

There are three main established ways to register token information on Cardano. This information is intended to guide users when trying to find out the origin and authenticity of a token they intend to buy. Not all of them are equally suited to be used as a reliable source. And they should all be used with scrutinizing DYOR!

1. Token Metadata

CIP 25 and 38 define ways to attach metadata to a token (or NFT). This information is displayed by many wallets like GeroWallet and NFT explorers like pool.pm.

The token metadata is defined simply by attaching the metadata to a mint transaction of the token. This includes the token image, a description, a link to the homepage, etc. Since this is attached to a minting transaction (where the token is created), only a token owner (with the right to mint it) can change this information. If the actual token of a project has some metadata, it is guaranteed to come from the token owner.

However, this means that if someone creates a fake token, they can freely modify this token. So, if you find a token with the correct metadata, it does not mean that the token is the real one! It may be a scam or copy and was simply given the same metadata as the token you were looking for. It is important to be aware of the fact that this data is not reliable information about the authenticity of a token.

This means that both the logo as well as the linked website of a token can be unrelated to the token itself and forged, and it is possible that tokens may be dumped on users if the tokenomics are missing.

In summary:

2. Cardano Token Registry

The Cardano Token Registry is a repository managed by the Cardano Foundation. Token creators can submit Pull Requests there that register information about their token, such as the image, description, a number of decimal places (for display purposes), homepage, and more. This information is displayed on explorers like cardanoscan.io and many wallets.

The process of adding information is secured such that only the owner of a token can change the attached information. Since the pull requests are processed by real humans, there is slightly more reliability regarding their content. However, the creators also clearly deny any responsibility regarding the content of the repository. It should therefore not be regarded as a reliable source.

Here as well, both the logo as well as the linked website of a token can be unrelated to the token itself and forged (as they might not be checked by the repository owners), and it is possible that tokens may be dumped on users if the tokenomics are missing.

3. MuesliSwap Token Registry

The MuesliSwapTeam has added to the official ways their own approach. They host a repository and process pull requests on a case-by-case basis. This requires a small fee but involves checking the token website, comparing it to other existing tokens, and even involves checking for tokenomics provided by the token creator.

Of course, you still need to DYOR, but if a token is verified in this source, it is sure to be related to the website linked in its description and metadata. Information from this repository is currently only displayed on MuesliSwap itself, however. Since they offer a DEX aggregation feature, you can use their interface for placing Swaps on other platforms too while enjoying the additional information in the token registry.

Neither of these registry approaches is perfect, especially having user security in mind. The Cardano Defi Alliance is collaborating and thinking about ways to consistently improve token registration. The information displayed to users should be adapted by many dApps, therefore the Defi Alliance is the perfect place to craft new standards in this aspect.

In the meantime, each DEX and user should keep in mind basic rules

a) Always DYOR

b) Check policy ids with those posted on the websites of projects

c) Use more restrictive and human-tagged lists for token suggestions (like the one on https://MuesliSwap.com/markets/all)

For DEXs we advise to really only suggest trading of tokens to users that come from a verified whitelist. If users want to trade something off-the-list, they are best of being required to explicitly enter the policy id and token name from the project website of the token they want to buy.

Join the Cardano DeFi Alliance on Wednesday, May 25th, at 13:00 UTC (1 PM UTC)

For more information, please visit the www.cardanodefialliance.org website.