a16z: How to issue tokens – a how-to guide from creation to escrow

原文标题：How to launch a token: Operational guidelines from creation to custody

原文作者：Adina Fischer，Matt Gleason，Justin Simcock

Source: a16zcrypto

Compiler: Lynn, Mars Finance

Editor's note: Given the fast-moving nature of the cryptocurrency industry, "how do I launch a token" is one of the most common questions founders ask. As the price rises, FOMO starts to emerge – everyone else is launching tokens, should I? — It's more important for builders to be cautious about tokens. So, in this special series of articles, we're going to cover launch readiness, risk management strategies, and more. Be sure to subscribe to our newsletter to learn more about tokens and other company-building resources.

When you want to launch a token, you need to consider a few steps from an operational perspective. This is even more true if you're working with any of the stakeholders regulated by the Securities and Exchange Commission (SEC). The purpose of this post is to lay out the logistics required to establish the protocol, ensure its security, and enable SEC-regulated entities to meet compliance requirements.

The first thing to know when launching a token is that it takes time and teamwork. The process involves multiple types of stakeholders – protocol developers, third-party custodians, staking providers, investors, employees, and others – all of whom must come to the same page when preparing to create and custody a new digital asset. Therefore, it is essential to understand each step of the process and allocate enough time to it.

Note that the set of guidelines below represents a snapshot of time. Best practices are likely to evolve as the market changes, new products emerge, and the regulatory environment evolves. At the same time, these guidelines can be a useful resource for protocol developers to consider when preparing for a token launch.

#1: Coordinate with custodians

For regulatory reasons, certain stakeholders may not be able to custodial Tokens unless supported by a third-party custodian who meets certain requirements, including registration with state or federal authorities and subject to oversight and inspection, participation in the protection of crypto assets as a regular and important component of their business, and regular financial, operational, and security reporting and auditing.

It's important to note that not all custodians are created equally. If your protocol has a large number of investors involved at launch to help ensure cybersecurity through staking or governance, it's essential to work with a high-quality third-party custodian months in advance so that they can get back. If you are unsure about the quality standards, ask your investors to clarify their needs. Don't assume that any custodian will have the ability to handle your tokens from the start. Plan accordingly.

Start the conversation early. A high-quality custodian can take about six to nine months or more to support a new Layer 1 blockchain (L1). More complex protocols, such as those that use SNARKs, have privacy features, or interact with Layer 2 (L2) networks, can lengthen the process. At the same time, tokens built on Ethereum, such as ERC-20 and NFTs, or tokens built on Solana, such as the Solana Library (SPL) token, are simpler and can take less time, such as three to five months (assuming no hurdles). Please note that these schedules are only rough estimates and may vary significantly depending on the custodian's requirements.

If your protocol requires staking and governance on day one, expect it to take more time to scale. Alert partners early. (For more information on supporting staking and governance, see Guideline 5.) Also consider the need for stakeholders to conduct due diligence on any custodians, staking providers, or other third-party vendors, including assessing their information security (infosec) and operational security practices.

#2: Conduct a security audit

To reduce the likelihood of problems during or after token launch, you should thoroughly review all code you write related to the token. This is usually in the form of a code audit, which is performed partially during the development of the project or all at once at the end of the development. Audits should be performed by reviewers with experience auditing similar products, with a focus on the potential for code abuse or software security.

Choosing an auditor is a daunting task as there is currently no governing body to certify auditors. Therefore, it is your responsibility to conduct due diligence to ensure that the auditor is adequately qualified. When reviewing the qualifications of an audit firm, you should ask yourself the following questions:

1. Does the auditor have a clearly defined testing methodology that can be provided to potential customers?
2. Does the approach address the main issues of the programme under review?
3. Does the approach include the use of industry-standard techniques and tools to detect software vulnerabilities?
4. Does the auditor have experience reviewing projects that are similar to the one being reviewed?
5. Has the auditor been involved in a project that has suffered a significant security breach after the auditor's review, and if so, is the bug or flaw exploited part of the code reviewed by the auditor?

The answers to these questions should state whether the auditor is ready and capable of reviewing your protocol in a way that is sufficient to detect and resolve errors before the software starts.

After commissioning an audit and receiving the auditor's initial report, you'll need to address all serious issues (high or severe severity issues, usually including medium severity issues as well) and selectively address less pressing, lower severity issues. You should provide a justification for any issues you choose not to address. Once the issues in the initial report have been resolved, ask the auditor to verify the completeness of the remediation.

Upon successful verification of the resolution of the reported issue, a final report shall be created and publicly released along with the protocol source code, or made available to all parties receiving or processing the tokens.

#3: Allocate and distribute tokens

After developing a schedule and conducting security audits in coordination with high-quality custodians and other stakeholders, it's time to start thinking about the distribution and delivery of tokens.

Protocol developers can distribute tokens in one of two ways: before or after the token launch (also known as a token generation event). Many stakeholders prefer to receive allocations prior to launch. In other words, they prefer to embed the wallet address into the genesis block, which is the first block when the blockchain is created. But this is by no means a requirement. Tokens allocated after launch can be delivered to stakeholders in batches, where each batch is equivalent to a percentage of the total token supply.

When it's time to distribute tokens, keep in mind where you're sending tokens, how many wallets you're distributing to, and trust but verify addresses. Stakeholders regulated by the SEC, such as RIAs, may request that tokens be delivered directly to their custodians. Stakeholders should have the option to have as many wallets as they want. This allows them to minimize the concentration of tokens in any given wallet, thus diversifying risk, in part due to insurance policies, including maximum limits per wallet or per account. Before distributing tokens, be sure to send a test transaction and verify receipt, as this reduces the likelihood of delivery errors.

In conclusion, protocol developers should ask themselves:

1. When will stakeholders receive assets (e.g., pre- or post-launch)?
2. Where will the stakeholders ask to send the tokens and how many wallets will each stakeholder request?
3. Will stakeholders receive all tokens immediately or in batches?

#4: Make sure to perform the lock

Token lock-up is one of the best mechanisms to prove belief in the long-term success of a project and to coordinate the long-term interests of stakeholders. This can be determined at different time periods, possibly much earlier than other token considerations, for example, when signing token warrants in a seed round.

The best practice is for all insiders (employees, investors, advisors, partners, etc.) to adhere to the same token vesting and lock-up period. If any of the insiders have different lock-up periods, or if the execution of those lock-ups is not clear, then this may inadvertently create unpredictable incentives, and some insiders may try to preemptively sell tokens. This can create distrust of the protocol and negatively impact it. Everyone involved should follow a similar timeline, and that timeline should guide everyone towards the long-term success of the project. (Note that these considerations should not prevent users from using tokens in blockchain networks or applications, even if that use is earlier than lock-up may allow.) ）

Once you've decided on the vesting period and lock-up period (which should not be less than one year from the token's issuance), you can choose to have the tokens distributed by a third-party custodian, programmatically, or both. Ideally, many stakeholders would seek to have the custodian receive the tokens and execute the lock-up and cash-out schedule from a legal and technical perspective. Other options include claiming tokens according to the vesting schedule through audited smart contracts or other third-party token vesting tools.

Key questions to ask at this stage:

1. Are all stakeholders bound by the same lock-up and vesting periods?
2. Can a custodian enforce a lock-up clause?
3. How will unlocked tokens be distributed according to the vesting schedule?

#5: Enable staking and governance

As mentioned in the first guide, if you need stakeholder participation and governance to secure your protocol, then you may need to coordinate with the custodian ahead of time. Protocol developers should not assume that custodians support the staking and governance of their tokens by default. Custodians need time, usually months, to establish staking and governance support.

If your protocol relies on stakeholders for staking or governance, then you may want to ask yourself the following questions.

Staking Questions:

• Will the custodian allow arbitrary delegation to a staking provider, or will the custodian pre-select a group of providers? (It may be helpful to work with a staking provider who is exploring the protocol and providing feedback during the testnet phase.) ）
• If the custodian pre-selects a set of staking providers, how will this affect the security of the network and the decentralization of the protocol? (Choosing a variety of staking providers with validators around the globe can help with a decentralized protocol.) ）
• Will the rewards compound, or do stakeholders need to reinvest? (Ideally, rewards are automatically re-staked, rather than manually re-staked.) ）
• Is there a minimum/maximum amount to stake per wallet?
• Do validator nodes have token minimum/maximum, and does this change over time?

Governance issues:

• If you expect stakeholders to participate in governance, will the custodian technically implement that involvement, or will they perform voting on behalf of the stakeholders?
• Will the protocol have on-chain or off-chain (e.g. via snapshots) voting?

—

To recap, if you're ready to launch a token, and the program includes SEC-regulated stakeholders, make sure to leave enough time for high-quality custodians to support your protocol. It is expected that the development timeframe will vary depending on the custodian and depends on the complexity of the protocol. The build time can be three to five months for more standard tokens such as Ethereum ERC-20 or Solana SPL, nine months for new blockchains, and even longer for tokens involving SNARKs, privacy features, or interacting with layer 2 (L2) networks. Start the conversation early.

Once you've established a realistic timeline, prepare for the next step. You can distribute tokens by embedding your wallet into the genesis block before launch, or you can distribute tokens in batches after launch. Either way, all stakeholders should adhere to the same token lock-up period and cash-out schedule to ensure consistency. Conduct any necessary audits and security assessments. Finally, research the staking and governance details of the protocol, which custodians and other stakeholders need to understand and prepare to help ensure its security.

If you follow these steps, you'll be able to handle the logistics required for a successful token offering well.