Since the launch of their rating agency in August 2016, the ICORating team has been constantly modifying and adapting its approach to the evaluation of projects staging ICOs in order to keep up with the dynamically developing industry. The assessment tools developed by ICORating are intended to help potential investors decide whether to buy tokens of startups staging an ICO/Token sale.
Risk-score is aimed at assessing the risk of potentially fraudulent activities. The higher the risk-score, the less information there is on the details of the ICO campaign, product development, the team and the documentation, which calls into question the possibility for success of the startup and the ICO/Token sale. Projects are evaluated against characteristics such as:
Smart Contract (for ICOs)
Risk-score is intended to give an investor an initial impression of a project and address any possible fraudulent intentions of the project founders, highlight the level of the project’s readiness and the presence or absence of a product.
The metrics of this parameter are divided into five levels: very low, low, medium, high, and very high. The lower the parameter, the lower the risk of fraud in the project and the higher the quality of its development. The secondary objective of this parameter is to demonstrate the startup’s chances for a successful ICO and further growth.
Hype-score shows the investor level of interest in the project. The higher the score, the more people might consider the project for future investments.
The parameter accounts for the following:
Number of users on the main social media pages of the project
Number of mentions in the press
Mentions in the mainstream technology media and in the prominent finance publications
Amount of search engine results
Main site traffic
The analyzed social media include the following platforms: Bitcointalk, Telegram, Twitter, YouTube, Medium.
Among the prominent financial publications, as well as the mainstream editions devoted to technologies, we identify such resources as Techcrunch, VentureBeat, Forbes, WSJ, Reuters, etc. Project mentions in the publications outside of the crypto industry scope increases exposure, which makes the project more visible and broadens the audience of potential investors. Moreover, mentions in the known IT and financial media reduce the risk of fraud.
Metrics of this parameter is divided into five levels: very low, low, medium, high, very high. The higher the score, the higher the interest in the project from the community. Great attention of the audience to a startup can serve as a good indicator of investment interest in the project, that is the level of potential demand for the startup tokens.
ICORating experts select the most interesting upcoming ICOs on a real-time basis. When assessing the level of interest, we consider the ICO’s idea, business model, technology, known or claimed partnerships/VC investors and community’s interest in social media. When doing so, experts are not assessing quantitative or financial metrics as well as associated risks.
When preparing all 3 types of reports (Basic Review, Investment Rating and Post-ICO) ICORating’s experts take into account the current state of the market in terms of both internal and external factors. Our team consists of professionals in the financial and IT industry. We strive to provide high-quality reviews based on our long-term experience with ICO analytics and add value for our clients and stakeholders.
ICORating analysts are open for communication with project representatives in the process of project analysis. Each ICORating report is itself subject of review and additional verification. Each month we assess more than 20 projects holding ICOs; our assessment is not automated and is based on a deep understanding of the market and thorough research and data collection.
Basic Review represents ICORating expert’s general overview and opinion about the project under consideration. Rating grade is not assigned in the Basic Review. This report is based on publicly available information about the project. ICORating experts carry out a basic review of a project giving their assessment of various project aspects:
General overview of the project
Public documentation sufficiency
The business model’s description, validity and viability
Technical overview of the product
Assessment of project’s roadmap
Elaboration of the financial plan (if there is any)
Project team evaluation
Assessment of target market dynamics.
Competitive environment assessment
A study of the internal economy of the project and ICO metrics
Social media analysis
When carrying out the review, ICORating experts provide a brief conclusion with their opinion about each aspect of the project. An overall conclusion highlighting the main project’s advantages and disadvantages is also provided at the end of report. ICORating does not assess the degree of project risks within Basic Review. Furthermore, as opposed to the Investment Rating report, the analysis itself is not as in-depth while still informative.
Investment Rating answers specific questions and addresses main issues which potential investors may face when assessing the project. ICORating experts consider the specifics of the blockchain industry as well as the specifics of project’s target market when analyzing the project. When third-party estimates are used (e.g. market size), ICORatings experts ensure that these estimates come from independent and soundable sources (industry experts, strategic analysts, etc) Currently our experts clusterize the projects that are launching their products on the basis of distributed ledger technology as follows:
Decentralized application platforms (Ethereum, EOS, NEO, etc.)
Interoperability (Polkadot, Cosmos, ICON, etc.)
Oracles (Oracles Network, etc.)
Decentralized Exchange Protocols (0x, SWAP, etc.)
User controlled Internet (Blockstack, Status, etc.)
Smart Contracts (Etherparty, Blockcat, Agrello.)
Dapps and special-purpose protocols (the most common categories — Financial services, Business Services, Value Exchange.)
IDuring analysis, ICORating experts cover the following aspects of the project:
Security Token Offering
If a project positions itself as an STO, regular ICO report and analysis methodology is still applicable, however, such aspects as project & token offering information, description of services & their applicability, roadmap, market outlook, teams, token analytics, token price factor analysis and investment risk analysis, will be supplemented with additional sections as follows:
The STO project must have ann established legal entity which will hold the STO
Our experts will obtain legal documents confirming the due incorporation and good standing of the issuer and verify the relevant information to the public ledger (to a possible extent)
Even if registered properly, the company may not be fully compliant for the purposes of the capital raising and its operating activity (e.g. licenses, certifications, AML/KYC procedures, etc)
Our experts will check respective regulatory frameworks and review the project documentation accordingly
We expect that in most jurisdictions a specific offering memorandum to be required which will stipulate key offering terms, token issuance and distribution procedures, risk disclosures and other matters as required by applicable regulatory frameworks
Our experts will check the availability and the contents of the offering documentation for compliance with respective laws
We expect that in most jurisdictions (e.g. EU or US) there will be specific limitations and procedures in respect of the investor’s rights (for example, transferability of tokens, clear and enforceable protection measures, refund procedures, etc)
Our experts will examine the relevant legislation and project documentation and highlight the potential risks and rights for investors
Regulation requirements may change often and different jurisdictions have different regulation
Our legal experts will continuously monitor regulatory environments in common ICO jurisdictions (EU, USD, South Korea, etc) and provide updates on uncommon jurisdictions, when needed
Financial, technical and investment aspects
Based on a high legal impact which STOs have, investment risks analysis and analysis methodology needs to be adjusted, accordingly
An additional “Legal” section will be introduced into the report structure and it will cover all legal matters which are relevant to a specific STO based on its jurisdiction. In addition, the “Investment risk analysis” section will be updated with new legal risks (if a project has any) and their weight when determining the overall rating score.
Specific offering terms and conditions like distribution, buyback, vesting, issuance and other significant offering terms may be fixed in the STO smart contract
Our technical experts will review the STO smart contract and check whether key STO terms are fixed in the smart contract code and whether the smart contract has any crucial errors or bugs. The result of such review will be considered when determining the project’s investment risks.
Token terms and/or regulation may require the project team to provide financial forecast information (e.g. dividend tokens may have dividend schedules or prospectus may require financial forecasts to be prepared by the project team)
If there is a requirement and information provided by the team in respect of financial prospects is sufficient, we will consider the implementation of valuation models for the tokens which will have dividends, profit sharing or ownership rights implied. When doing so, we will be able to estimate the project’s/token’s fair value thus adding value to both the project and its stakeholders.
General ICO information
Completeness of disclosure of information and transparency of the token distribution
Token/ICO metrics (total supply, tokens for sale, softcap, hardcap, stage caps, bonuses implied, token type, etc)
Project valuation at ICO price
Reasonableness of token allocation schedule
Availability of smart contract for review and quality of such contract
Use of proceeds allocation
Legal matters (ICO legislation, KYC procedures, availability of ToU, PP, TSA, etc)
Known or claimed VC investors which participated in the project
Announced incentives and bounty programs, if any
Other significant matters, if any
Overview of solution architecture
Assessment of proposed technological features and their applicability
Whether the team develops its own blockchain or uses existing solution
Assessment of the key roles in the system
How decentralization is achieved
What consensus algorithm is used
Analysis of justification provided by the project team for each of decisions made regarding the above matters
Existence of MVP/alpha/beta/testnet/mainnet
Overview of the project GitHub activity
Overview of the publicly available code
Services and their applicability
Assessment of the problem and proposed solution
Sufficiency of descriptions in the whitepaper
Applicability of the project’s solution to the target market in its current state including legal factors
Whether both business and technical development milestones are set
Sufficiency and reasonableness of the terms/milestones set
Team’s progress through the milestones so far
Whether the milestones are vague or specific
Completeness of the roadmap against team’s intentions and project features
Assessment of the size of target market
Overview of forecast market dynamics
Porter’s Five Forces analysis
Whether the milestones are vague or specific
Team, advisors and partners
Sufficiency of the project’s team both in terms of their experience and project’s roadmap
Team’s credentials (hackaton participations, patents, awards, etc)
Completeness and verifiability of the team roster
Endorsements and recommendations of the team members on their LinkedIn accounts
Blockchain expertise and target market expertise
Sufficiency and verifiability of advisory board
Soundable and verifiable partners/VC investors
Assessment of token economy design
Token’s type (utility, security, etc)
Applicability of proposed economic model for the purposes of the project
Analysis of external and internal factors which may have an impact on the future token price
Investment risk summary
Assessment of the existing project’s risks based on the analysis performed and issues identified, assignment of specific risk level for each risk identified Investment Rating answers the following questions:
Whether the stated information on the current state of the project, the team, the market and the degree of development of the technological component of the product is accurate.
What are the team’s chances of implementing the product or service with the stated (officially confirmed) set of developments, team competencies, business model, current market development and competitive environment.
What are the most significant project’s risks
When the review and analysis is complete, ICORating expert assign the rating to the project. The metrics of this parameter is divided into 10 levels (The higher the rate assigned to the project, the better the overall quality of the project’s documentation, and the lower the number of risks for future investors):
In the process of assigning a rating ICORating expresses its independent opinion of ICORating experts on the specific project as it is at the date of analysis. When writing a review and assigning a rating, ICORating experts check the validity of all figures and facts provided by the project team, using all relevant sources of information which are freely available. The lack of any necessary information in the public domain leads to a decrease in the rating score. Investment Rating is an analytical product of ICORating and cannot be considered as an investment recommendation.
Post-ICO Rating is designed to express ICORating's opinion on the actions which have been taken by the project team after the ICO. The analysis is aimed on assessment of the project’s performance after the ICO. During the analysis, we adhere to the standards of the project information disclosure. If the company refuses to provide the requested information for some reason, it may do so, but this may negatively affect the final assessment. The interests of investors should be protected and relevant risks should be assessed both at the ICO stage and after the ICO when active product development is in place. Companies tend to make a lot of promises in order to attract the necessary amount of money in a limited timeframe and investors tend to believe such promises. Disclosure of information on progress in product development, money spending, important news, state of the team and business operations is necessary in the current market, at least as a tool for self-regulation, risk mitigation, governance and transparency. When performing the analysis of the project in the post-ICO stage, we pay attention to the following points:
Product and business development: The state of the product at any stage (prototype, code, etc.) and the progress during the period under consideration as compared to the initial roadmap. Important releases of product and updates from the team as well as project’s GitHub activity. We also pay attention to any new partnerships, hackatons and conferences participation and other significant business development activities which the project’s team does
Finance: Post-ICO analytics and the ways of storing and managing money by the project team. Analysis of actual expenses incurred by types vs planned, analysis of revenue flows (if any) of the project (analysis of financial performance is possible if the necessary financial information is provided by the team).
Market dynamics: Analysis of market changes and the competitive environment of the project. Assessment of key milestones reached by the competitors and their potential effect on the token under consideration. Assessment of new entrants into the market (new ICOs in the same niche, etc).
Secondary market: Token performance on the secondary market, analysis of historical liquidity and volatility of the token, traders’ interest in the tokens, reaction of the token holders upon product releases, etc. Assessment of token performance vs competition (if any) and vs the market.
Assessment of the project’s valuation and estimate of valuation: we assess project’s valuation as opposed to the competitors’ valuation and provide an estimate of valuation (in case if required data is available) using 3 different approaches: capitalization-based approach, NVT-based approach and trend-based approach.
Legal: Analysis of stated obligations, activities of legal bodies related to the project, reactions to changes in legislation, and availability of licenses, if necessary.
Risk assessment: assessment of the existing project’s risks at the date of the analysis based on the analysis performed and issues identified
Other matters: We may draw attentions to other significant matters and issues which we believe are important for the stakeholders of the project Based on the facts collected and risks identified, each project is assigned with a Post-ICO rating which grade is similar to the Investment Rating.
People score – calculated based on weighted average of returns since ICO of the projects in which a person had participated. Funds score – calculated based on weighted average of returns since ICO of the project in which a fund had taken part in. Exchanges score – currently in development, collecting data.
General Exchange Security Rating (GESR)
GESR consists of four sections:
Domain & Registrar Security
For verification, accounts were created on each exchange and a test was conducted, on the extent to which the security of the user account was ensured, using the following parameters:
- A check for errors in the content of the exchange code, which could lead to malfunctions in the application.
- The ability to create a weak password.
- Confirmation of actions on the stock exchange through mail.
- Availability of 2FA.
Domain & Registrar Security
A check for errors related to the domain and registry. The following parameters were inspected:
- The Registry lock is a special flag in the registry (not your registrar) that prevents anyone from making changes to your domain without out-of-band communication with the registry.
- Security-conscious organizations avoid leaking this kind of private information by using role accounts to register their domain names. Role accounts protect individuals in your organization from being targeted by attackers.
- We recommend at least a 6-month expiration window for high profile domains. This is enough leeway to deal with unforeseen complications, such as an employee owning the domain leaving the company (again, this is a good reason to use Role Accounts).
- DNSSEC eliminates the threat of DNS cache poisoning by authenticating all DNS queries with cryptographic signatures. Instead of blindly caching DNS records, DNS servers will reject unauthenticated responses.
The web security was analyzed depending on whether the exchanges were protected from the following errors and attacks, and whether they met certain security standards:
HSTS header presence.
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP.
Clickjacking attack protection
A malicious technique of tricking a web user into clicking on something different from what the user perceives they are clicking on.
Drive-by Download attack protection
Unintended download of computer software from the Internet.
Man-in-the-middle (MITM) attack protection
Attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
POODLE attack protection
An exploit that takes advantage of the way some browsers deal with encryption.
Heartbleed attack protection
Leads to a leak of memory contents from the server to the client and from the client to the server.
Robot vulnerability protection
Vulnerability that allows RSA decryption and signing operations with the private key of a TLS server to be performed.
- HIPAA, PCI-DSS, NIST guidance compliance.
Denial-of-Service (DoS) attack protection
A cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.
The selected exchanges have been analyzed according to the above mentioned categories with the following scoring system:
- User Account Security: Maximum 17 points, 4 parameters analyzed
- Registrar and Domain Security: Maximum 18 points, 4 parameters analyzed
- Web Security: Maximum 57 points, 10 parameters analyzed
- DoS attack protection: 8 points , 1 parameter analyzed
100 points maximum possible score when totalling the above.
|A+||(94 - 100)|
|A||(86 - 93)|
|A-||(77 - 85)|
|B+||(70 - 76)|
|B||(63 - 69)|
|B-||(55 - 62)|
|C+||(47 - 54)|
|C||(38 - 46)|
|C-||(0 - 37)|