Stablecoins and payments: a complete guide for analysis and verification

Introduction

This guide is intended for investors, analysts, and advanced cryptocurrency users. Its goal is to provide a comprehensive framework for independent due diligence regarding the transparency and reliability of stablecoins. We will examine both documentary (off-chain) and blockchain-based (on-chain) verification methods, outline key risks, and offer practical tools. The guide assumes a basic understanding of how blockchain works and does not constitute financial advice.

Table of Contents

1. Step 1: Jurisdiction, Issuer, and Licensing
2. Step 2: Financial Statement Analysis and Audit Standards
3. Step 3: Assessing Auditor Independence
4. Step 4: On-chain Analysis: Issuance and Smart Contract Risks
5. Step 5: Liquidity and Slippage Analysis
6. Step 6: Proof-of-Reserves (PoR) Verification and Its Limitations
7. Step 7: AML Screening of Counterparties
8. Summary: Checklist and Issuer Request Template

Quick Overview (TL;DR)

This guide will teach you how to:

• Verify the legal framework: Identify the issuer's jurisdiction and whether they hold the necessary licenses (e.g., MiCA standards in the EU or NYDFS in the US).
• Read financial reports: Distinguish between an audit and an attestation, understand international standards (ISAE 3000, SOC), and evaluate reserve quality.
• Identify smart contract risks: Find dangerous functions (mint, pause), and check for audits and verified code.
• Evaluate real liquidity: Analyze market depth on CEXs and DEXs, and calculate potential slippage for large trades.
• Verify Proof-of-Reserves (PoR): Use cryptographic proofs and identify signs of manipulation.

Part 1. Documentary and Legal Verification (Off-chain)

Step 1: Identification of Issuer, Jurisdiction, and Licenses

Determine which company issues the stablecoin and under whose supervision it operates. This dictates the applicable regulatory norms and your rights as a holder.

How to proceed:

1. Find the legal entity: On the stablecoin's official website (links can be found on CoinGecko or CoinMarketCap), look for the exact company name and country of registration in the "About Us" or "Legal Information" sections.
2. Check licenses: Holding a license from a reputable regulator is a key indicator of reliability.
   • For the EU (MiCA): Since June 30, 2024, an issuer must have a license to issue E-money tokens (EMT) or be a credit institution. MiCA compliance implies strict requirements for reserves (1:1), their segregation, and regular reporting.
   • For the USA: Regulation is fragmented. Look for state-level licenses, such as the BitLicense from the New York State Department of Financial Services (NYDFS).
3. Verify the information: Check for the license directly in public regulatory registries (e.g., the NYDFS database or future ESMA registries for MiCA).

Step 2: Financial Statement Analysis and Audit Standards

Understanding report types and the standards they follow is critical for assessing their credibility.

Report Types and Confidence Levels:

• Financial Statement Audit: The highest level of verification. The auditor provides an opinion on the fairness of all the company's financial statements in accordance with GAAP or IFRS standards. This is conducted infrequently (usually annually) and provides a comprehensive view of the issuer's financial health.
• Attestation Report: The most common format for stablecoins. An independent firm confirms a specific management assertion (e.g., "reserve volume matches the volume of issued tokens") as of a specific date.
• Standards: These reports are typically prepared according to international standards such as ISAE 3000 (for non-financial information) or SSAE/SOC (service organization standards popular in the US).
• Confidence Levels: An attestation can provide "reasonable" or "limited" assurance. Monthly reports most often provide limited assurance.

How to proceed:

1. Find the "Transparency" section on the issuer's website.
2. Examine the report:
   • Document Title: Look for headings like "Independent Accountant’s Report" or "Attestation Report."
   • Verification Standard: The report text should specify the standard used (e.g., ISAE 3000).
   • Date: The report should be recent. Monthly attestations are the gold standard.
   • Reserve Composition: Ideally, cash and short-term government bonds (U.S. Treasury bills). A high proportion of corporate bonds, other cryptocurrencies, or illiquid assets is a red flag. Historical controversies surrounding Tether (USDT) were often linked to the opacity of its reserve composition.
3. Examine the list of custodians: The report should list the banks and financial institutions where fiat reserves are held. Check their reputation.

Step 3: Assessing Auditor Independence

The authority of a report depends directly on the reputation and independence of the verifying firm.

Criteria for verification:

• Reputation: Is the auditor a world-renowned firm (e.g., from the "Big Four" — Deloitte, PwC, EY, KPMG, or top 10 like BDO, Grant Thornton) or an obscure company?
• Conflict of Interest: Check for signs that undermine independence:
  • The auditor is paid in the issuer's tokens.
  • The auditor and issuer are affiliated entities (shared investors, subsidiary structures).
  • The auditor simultaneously provides consulting services that could influence their objectivity.

Part 2. Blockchain Verification (On-chain)

Step 4: On-chain Analysis: Issuance and Smart Contract Risks

Data from reports must be confirmed by information on the public blockchain.

How to proceed:

1. Verify Issuance: Use a blockchain explorer (Etherscan, Solscan) to find the token contract and check the Total Supply. This figure should roughly match the liabilities in the audit report.
2. Analyze Holders: A high concentration of tokens in a few anonymous non-treasury addresses is a centralization risk.
3. Check the Smart Contract Code: This is a key step for identifying hidden risks.
   • Verified Code: Ensure the "Contract" tab on Etherscan has a green "Verified" checkmark. This allows anyone to read the source code.
   • Dangerous Functions: Look for functions that give the administrator excessive powers:
     • mint(): The ability to issue unlimited new tokens. It must be strictly controlled (e.g., accessible only to specific multisig addresses).
     • burn(): The ability to burn tokens.
     • pause(): The ability to halt all token transfers.
     • blacklist() / freeze(): The ability to block individual addresses.
   • Proxy Contracts (Upgradeability): Many projects use proxy patterns to update contract logic. This creates a risk: if the proxy administrator's private key is compromised, an attacker could replace the entire stablecoin's logic.
   • Security Audits: Check the project’s website for security audit reports from reputable firms (e.g., Trail of Bits, OpenZeppelin, ConsenSys Diligence).

Step 5: Liquidity and Slippage Analysis

Even a fully backed stablecoin is useless if it cannot be freely sold at face value.

How to proceed:

1. Assess Market Depth on CEXs: On major exchanges (Binance, Coinbase), examine the order book. For institutional-level liquidity, it should be possible to sell a volume of $5–10 million with slippage of no more than 0.1–0.2%.
2. Check TVL on DEXs: Use aggregators like DeFiLlama to check the Total Value Locked (TVL) in key pools (e.g., Curve, Uniswap). Pools with TVL in the hundreds of millions of dollars ensure price stability.
3. Calculate Approximate Slippage: For AMM pools (e.g., Uniswap v2), slippage depends on the trade size relative to the pool size. For a pool with X tokens and Y stablecoins, selling ΔY stablecoins will lead to a significant price change if ΔY is comparable to Y. Large trades should be executed through aggregators that split them into parts.

Step 6: Proof-of-Reserves (PoR) Verification and Its Limitations

PoR is a cryptographic method that proves an issuer or exchange holds sufficient reserves to cover liabilities.

How it works:

1. An anonymized snapshot of all user balances is created.
2. Data is hashed and organized into a Merkle Tree.
3. The issuer publishes the root hash and a list of their on-chain reserve addresses. A user can use their "branch" of the tree (Merkle proof) to verify that their balance is included.

How to verify and what to watch for:

• Public Verification: A reliable PoR process must be fully verifiable. The issuer is obliged to publish:
  • The source code of the verification script (usually on GitHub).
  • The Merkle Tree root hash and the exact timestamp of the snapshot.
  • A list of reserve addresses and cryptographic signatures proving ownership.
• Signs of PoR Manipulation:
  • "One-day Snapshot": Large inflows to reserve wallets immediately before the PoR date and their withdrawal immediately after is a red flag. This may indicate borrowed funds.
  • Opacity: Lack of public verification scripts or an incomplete list of addresses.
  • Unaccounted Liabilities: PoR does not guarantee that reserves are unencumbered (e.g., they are not pledged as collateral for a loan).

Step 7: AML Screening of Counterparties

Interacting with "dirty" assets (linked to fraud or sanctions) can lead to your accounts being frozen.

How to proceed:

1. Use AML Services: Utilize Chainalysis, Crystal Blockchain, or AMLBot to check the addresses you intend to interact with.
2. Interpret the Result: The service will show a Risk Score. Avoid transactions with addresses having a high risk level (>70%) or direct links to illegal activity.
   Important: AML scoring can produce false positives. High risk requires further investigation.

Summary: Checklist and Issuer Request Template

Summary Verification Checklist

Category	Parameter	Criticality	Minimum Criteria / What to Check
Jurisdiction	License	Critical	License from a reputable jurisdiction (MiCA, NYDFS, MAS).
Jurisdiction	Reporting	Critical	Monthly reports (attestations) under ISAE 3000/SOC standards from a reputable firm.
Reserves	Asset Composition	Critical	>90% in cash and short-term government bonds. No risky assets.
Smart Contract	Audit and Functions	High	Verified code, audits present, no centralized risks (e.g., unlimited mint).
On-chain	Treasury Addresses	Important	Public list of addresses; ownership confirmed by cryptographic signature.
Liquidity	Market Depth	Important	Deep pools on key DEX/CEX; low slippage for large trades.
PoR	Transparency	Important	Public verification script; transaction analysis around the report date.
Auditor	Independence	Recommended	No obvious conflicts of interest (payment in tokens, affiliation, shared ownership structures).

Issuer Request Template

Subject: Information request for [Name] stablecoin due diligence

Dear [Name] project team,

As part of an assessment of your stablecoin, please provide the following documents and data:

1. Financial Transparency:

• A direct link to the latest reserve attestation report.
• Clarification on which standard (e.g., ISAE 3000) it was prepared under.
• A detailed breakdown of off-chain reserves by asset type and custodian banks.

2. On-chain Verification:

• A complete and up-to-date list of treasury addresses across all networks.
• Cryptographic proof of control over the specified addresses (signed message).

3. Smart Contract Security:

• Links to all smart contract security audit reports.

Thank you in advance for your cooperation in ensuring transparency.

Sincerely,
[Your Name/Organization Name]

Useful Links and Sources

1. MiCA Regulation (Markets in Crypto-Assets) — Official Text.
2. International Auditing Standards (IAASB) — ISAE 3000 Standard.
3. Circle (USDC) Transparency Report Example — Circle Transparency.
4. PoR Verification Repository Example (Kraken) — Kraken Proof of Reserves.
5. Blockchain Explorers: Etherscan, Solscan.
6. DeFi Data Aggregators: DeFiLlama.