Fake signals you trust in Web3

Crypto runs on a thin layer of signals that look like trust but are not. Can you name them? Of course you can: market cap chart; green audit badge; big green candle on price chart; logo wall of "backed by" investors; TVL; cute "verified team" sticker; 100k follower count. And so on…

Most of the time, these are what people look at before clicking "allow & approve." Almost always, they work for some time to filter teams, despite the fact that none of these things show the risk you take.

The market has worked like this for more than a decade. You scroll, you see numbers go brrrrr, you decide. That’s not new, but a hot take is that every one of those numbers can be manufactured, and many of them constantly are. 

Then the project performs perfectly on the metric, fails in the only way that prevents exploits, and everyone agrees afterward that the signal was always meaningless. Then we go pick a new signal and do it again. (Yes, even you. Yes, even me.)

This piece is about which signals can be faked, how, and what a non-fakeable signal would look like. CORE3 has opinions about this. And we will get to them.

Here is the working list of things crypto treats as proof of trustworthiness, with what each one measures and what it borrows when used as a trust indicator instead. What we mean is that the signal itself contributes nothing to risk. Instead, it wires a project to a trusted entity, and the wire is cheap.

Market cap. Borrows credibility from "the market." Measures price times circulating supply. Does not measure whether anyone would buy the next $10M of supply at anything close to that price. 

TVL. Borrows credibility from "users have voted with their capital." Measures dollars locked in a contract at current prices. Does not measure whether that liquidity is sticky, mercenary, double-counted across protocols, or paid for with the project's own freshly minted token. A protocol can buy its own TVL with incentives and call it adoption.

Trading volume. Borrows credibility from "lots of people are trading this." Measures transactions, not organic ones. A Columbia University study published in November 2025 estimated that in some weekly windows, almost 60% of Polymarket volume was inauthentic, with one cluster of 43,000+ wallets generating nearly $1M in volume mostly at sub-cent prices, almost all flagged as likely wash trades. Polymarket is one of the more visible platforms in crypto. 

Audit badge. Borrows credibility from the audit firm. Measures that a security firm reviewed a version of the code, on a specific date, against a specific scope. Does not measure whether the dependency changed, whether the multisig was migrated, or whether the team kept the practices. An audit from February did not stop a $285M drain in April.

KYC and "verified team." Borrows credibility from "a regulator-style process happened." Measures that a third party saw a passport. Does not measure whether the team is competent, honest, or still the same people holding the keys. 

Partner logos. Borrows credibility from the named partners. Measures that someone, somewhere, signed something. The "backed by" wall is the most lawyered, least informative element on most landing pages. A venture firm holding tokens it acquired in a seed round in 2022 is still on the logo wall in 2026 even after it has fully exited.

Follower counts, engagement, GitHub stars. Borrows credibility from "look how many people cares." All purchasable. There is a market for each one. (You can quote us on X on this when the next 200k-follower "DeFi protocol" rug pulls.)

Each of these started as a reasonable proxy for something. Then someone figured out how to spike the proxy without changing the underlying thing. *You’re here*

If you want a case where every green light was on, then turn your calendar to the page of April 13, 2025.

Mantra went into that Sunday as a top-50 token by market cap, with trending (then and now) RWA narrative, a $1B DAMAC tokenization deal, a VARA license (the FIRST) in Dubai, and investor backing that included Nomura's Laser Digital. 

Then OM fell roughly 90% over about an hour, erasing around $5.5B in market cap. Top wallets held more than 40% of the supply. The order book under the headline number could not absorb the move, and the price had no support.

Argue about who pushed first if you want. But the point is upstream: the public-facing signals (top-50 market cap, brand-name partners, RWA narrative, +400% chart) had nothing to do with whether the position was safe to hold. All those trusted signals were treated by the market as inputs.

If all these metrics are gameable, why does the market keep using them?

Same reason it keeps everything else. Fake signals are cheap, fast, and aesthetically rewarding. A dashboard with 8 green check marks closes a deal. You won’t find a team that says you can’t verify four of these parameters, and one they pay to game, because it won’t close a deal, and simply destroys borrowed reputation.

There is also a structural problem. The people who would benefit from harder signals are the ones who already do real work, who would rather not compete with projects that buy their metrics. The people who manufacture signals benefit directly. So the cost of cleanup falls on disciplined teams, and the upside of faking falls on undisciplined ones. The incentives are upside-down. (For more on why the market only fixes this after a loss, see the previous post.)

If you take the fakeable signals away, you are left with a question: what would risk information have to be in order to be worth anything?

We give them three properties, all boring.

Verifiable. A project can declare “we are secure”, and it will be worth nothing. The same project can publish certificates of confirmed audit coverage, control concentration, treasury composition, dependency exposure, and this will show quite a realistic risk posture.

CORE3's Probability of Loss (PoL) is built to be the second thing: a measured index from 0 (Exceptional) to 100 (Critical risk), based on a multi-parameter methodology applied identically across projects.

Continuous. Many metrics are snapshots: market cap, TVL, even audit. Risk, instead, is forward-looking. Unfakable metrics re-run as the inputs change (governance migration, concentration shift, liquidity drain, new dependency). With a benchmark like this, risk gaps become visible before the price chart reflects the news.

Objective. This is the part most "trust products" get wrong. They mix the measurement with the verdict, and then the verdict gets shopped, pressured, paid for, or polished. That separation is the integrity mechanism. Metrics of trust must be grounded in reality, not corrupted by opinion or influence. 

PoL reflects measurable loss exposure on a 0 to 100 scale, computed the same way for every project, updated as the inputs change. It reflects what the data currently shows about a project's security posture, financial integrity, operational maturity, regulatory exposure, reputational track record, and dependency surface. It does not reflect price, narrative, sentiment, or anyone's opinion of where the project is going.

That clarity is the whole point, and it is also where most people misread the number. A few rules, for PoL and for every other signal you read.

A low PoL does not mean a project is safe. It means measured loss exposure looks lower right now under this methodology. Conditions change. So does the score. Anyone telling you "low PoL equals approved" is misreading the tool, and we have written this explicitly into how we publish the metric.

A high PoL does not mean a project is a scam. It means the measurable risk signals look elevated. Sometimes that is because the project is early and has not built out the structures yet. Sometimes it is because the structures are missing on purpose. PoL flags the exposure. The "why" lives in PoO and in your own work.

No single number replaces judgment. The point of a comparable, continuous, derived risk index is not to outsource decisions. It is to make sure that when you do exercise judgment, you are exercising it against an honest baseline instead of against a metric someone built specifically to game you.

That is what PoL reflects. Risk you can compare, risk you can track over time, risk that does not get prettier because a marketing team wants it to. The cheapest thing the industry can do is stop pretending that "looks legitimate" and "is legitimate" are the same word.