A rigorous, multi-dimensional framework built on on-chain evidence, independent audit records, and structural analysis of protocol mechanics.
Five Dimensions
Dimension I
The integrity of a protocol's codebase is the first and most consequential variable we assess. We review the number and quality of independent audits, the audit firms involved, the time elapsed since the most recent audit relative to any contract modifications, and the protocol's response to discovered vulnerabilities.
Protocols with a single audit, audits older than eighteen months post-update, or audits from firms without established track records receive significant risk penalties. We also monitor bug bounty programs as a proxy for the team's commitment to ongoing security.
Contract age is weighted positively: code that has held significant value for multiple years without exploit carries an implicit track record that supplements formal audits.
Signal watched: Any unpatched critical vulnerability disclosed in the prior 12 months triggers an immediate Aggressive classification, regardless of other scores.
Dimension II
Liquidity risk captures the probability and cost of exiting a position. We evaluate withdrawal queue depth, time-lock durations, redemption mechanism design (instant, epoch-based, or market-dependent), and on-chain depth for the underlying asset pairs.
For liquid staking and restaking protocols, we model stress scenarios: what happens to exit costs when 5% or 15% of depositors attempt to exit simultaneously. Protocols with shallow secondary market liquidity or illiquid withdrawal mechanics receive a Moderate or Aggressive classification regardless of other scores.
We source liquidity data from DeFiLlama, on-chain DEX pool depth, and protocol-native dashboards, cross-referenced every six hours.
Stress threshold: If simulated exit cost exceeds 0.8% slippage at 5% TVL outflow, the protocol is penalized one classification tier on liquidity.
Dimension III
Not all DeFi protocols are equally decentralized. We assess the degree of centralization across key functions: admin key ownership, oracle dependency, upgrade mechanisms (timelocks, multisig configuration, guardian roles), and reliance on off-chain infrastructure.
A protocol governed by a 2-of-3 multisig with a 48-hour timelock is materially different from one governed by a DAO with a 7-day proposal period and decentralized oracle network. We map these distinctions explicitly in our rating model.
Custody risk is scored separately: protocols that require assets to leave a user's wallet into a centralized custodian receive the highest counterparty penalty.
Centralization markers: Upgradeable proxy contracts without timelock, single-entity oracle control, or off-chain settlement each contribute a negative weight to the counterparty score.
Dimension IV
We distinguish between yield generated from organic protocol revenue (trading fees, borrowing interest, network staking rewards) and yield subsidized by token emissions. Emission-based yields are subject to token price risk and schedule decay, and are treated with greater caution.
For each protocol, we model the yield source decomposition: what percentage comes from real economic activity versus inflationary rewards. Protocols where more than 40% of advertised yield derives from token emissions receive a sustainability haircut in our composite score.
Historical yield consistency is also measured: protocols with high standard deviation in weekly APY over a 90-day window are flagged as volatile, even if their current rate appears attractive.
Emission decay model: We project token emission schedules forward 12 months. If projected yield falls below 50% of current advertised rate, the gap is disclosed in the protocol card.
Dimension V
Regulatory exposure varies substantially by protocol structure and jurisdiction. Protocols with incorporated legal entities in jurisdictions actively pursuing DeFi enforcement, those offering tokenized securities without appropriate registration, or those with identifiable centralized operators face elevated regulatory risk scores.
We do not make legal determinations, but we do assess publicly observable signals: regulatory correspondence, enforcement actions against similar structures, and protocol design choices that suggest awareness of (or indifference to) compliance obligations.
Jurisdictions under enhanced monitoring: US, EU (post-MiCA enforcement), and any jurisdiction with active enforcement actions against comparable protocols as of the current quarter.
How each dimension maps to the final classification.
| Dimension | Conservative | Moderate | Aggressive |
|---|
Data Sources
Our risk scores are compiled from DeFiLlama protocol data (TVL, chain distribution), independent audit reports from firms including Trail of Bits, Chainalysis, Certik, OpenZeppelin, and Sigma Prime, on-chain analysis via Dune Analytics and Etherscan, governance forum activity, and regulatory filings where available. Scores are reviewed weekly, with intra-week alerts triggered by significant TVL movements (>20%), newly disclosed vulnerabilities, or enforcement actions.
“Risk is not a label. It is a structured argument. Every rating we publish must be defensible from first principles, not inherited from convention.”
— Head of Risk Research, Meridian
Browse curated yield opportunities, each rated against these five dimensions. Filter by risk profile, asset class, or target APY.
Non-custodial. No wallet connection required to browse.