The token contract needs to be verified on Etherscan.
The token contract should have an audit from a known security auditor or explain why it wasn’t audited (for example, if it’s a standard token from the OpenZeppelin library).
The project should have a publicly visible test suite with decent test coverage.
Special administrative privileges over the protocol - such as minting privileges - should be restricted:
They should not be owned by EOA.
They can be governed by multisigs.
They can enforce timelock or similar restrictions.
Protocols that don’t comply with this should provide an explanation why (the DAO reserves the right to decide whether to accept the explanation or not).
The above may not contradict with the technical requirements - e.g. an upgradable token can not be whitelisted regardless of the reasoning.
The token contract should not be upgradable.
Only the token holders themselves should be able to transfer or burn their tokens. It shouldn’t be possible for any other account (including owners/admins) to transfer or burn tokens belonging to other users, without their explicit permission.
Minting of new tokens should be restricted and conform to the whitepaper and the security audit.
Rebasing tokens or tokens with elastic supply aren’t currently supported.
Tokens that apply transfer fees aren’t currently supported. Please note that tokens that have the fee mechanism in place but haven’t activated it yet are exempt.
Token transfers shouldn’t be pausable or subjected to a whitelist unless a reasonable explanation is provided.
There should not be any restrictions on transferring or trading (e.g., restricting how many blocks you have to hold a token before you can transfer it, fees/taxes on transfers, including to/from trading pools, etc.)
The token should be fairly distributed (e.g., it can’t be concentrated in a few addresses).