TL;DR
For an ERC-4626 vault, the share price is the depositor's mark-to-market. When it falls below entry, the depositor takes a loss that reflects a shortfall inside the vault. Every input to that shortfall — oracle prices, liquidation execution, available pool depth, gas costs, network congestion — is endogenous to the vault's mechanical environment. None are fixed. Several are adversarially targeted in stress.
The framework from Anastasiia (@mathy_research), "DeFi Lending Credit Risk: A Three-Part Framework" (Vault Summit, April 2026), measures these mechanical channels directly across five dimensions. It is not a replacement for standard credit-risk analysis — it is a correction for the parts standard analysis assumes away.
(1) As a depositor, to stress-test a vault before putting capital into it. (2) As a curator or risk manager, to pressure-test your own parameterization. (3) As a reader of a TI research page, to understand why our Oracle, Liquidity, and Economic sub-scores on the DeFi Risk Methodology page exist in the first place — they are the same mechanical channels described here, scored at the protocol rather than the vault level.
Why mechanical risk needs its own framework
TokenIntel's DeFi Risk Methodology follows Anastasiia's three-layer taxonomy: mechanical risk (Layer 1), governance risk (Layer 2), and code-integrity risk (Layer 3). This page focuses exclusively on Layer 1 — the losses a vault can take while the contracts work as designed and the governance process behaves as expected. The five channels below do not score audit depth, upgrade authority, parameter-setting quality, or bridge dependencies. Those live in the other two layers.
A single ordering rule governs all of it, and it is easy to get wrong: measure Layer 3 first. If annualized code-integrity failure probability over your horizon exceeds the expected Layer 1 loss over the same horizon, tuning the mechanical channels is not rank-ordering your risk — it is rearranging deck chairs on a boat whose dominant failure mode is something else entirely. Clear Layer 3, then measure Layer 1.
A liquidation that executes at 3% below the oracle mark because the DEX pool is thin is mechanical. An oracle that reads $1.00 for a stablecoin trading at $0.025 on Curve is also mechanical — the contract is working exactly as it was configured to work; the loss comes from the configuration itself meeting an adversarial environment. Mechanical does not mean "small" or "benign." It means "arises from the system operating as designed under stress."
The five metrics
Each metric corrects a specific simplification that traditional credit-risk analysis carries over into DeFi without checking whether the simplification still holds. The attributions below summarize Anastasiia's framing; the intuition and worked examples are TI's.
Stress-adjusted asset coverage
What does the collateral ratio actually cover at the prices a liquidation will receive — not at the prices the oracle reports?
Standard credit-risk analysis divides collateral by liabilities at mark prices and pronounces anything above 1.0 "overcollateralized." That arithmetic assumes the mark is what the vault realizes on liquidation. In DeFi it often isn't. In stress, realized execution can fall below oracle marks by more than the coverage buffer — so a vault can look comfortably overcollateralized on any standard ratio and be structurally insolvent at the prices the collateral actually clears at.
- Collateral composition by asset, weighted by position size
- Historical realized-vs-oracle execution gaps on the liquidation venues the protocol routes to
- A defined stress set (e.g., collateral price shock, depth depletion, congestion) against which coverage is recomputed
The reading that matters is the worst-case effective coverage across your stress set, not the best-case or the average. If any single scenario pulls effective coverage below 1.0, the vault has structural exposure in that scenario — full stop. A vault that looks 1.25 covered on paper can be 0.92 covered in a realistic stress, and the honest reading is the 0.92.
Recovery endogeneity
The more collateral a vault has to liquidate, the worse the price it gets. Loss-given-default is a function of how much is being liquidated, not a fixed haircut.
Traditional LGD uses a historical haircut from past recoveries — a fixed number, applied linearly. That assumes a single liquidation doesn't move the market. DeFi liquidations route through onchain venues with finite depth: larger liquidation = worse execution = lower recovery = larger shortfall. Expected shortfall is nonlinear (superlinear) in liquidation mass, not proportional to it.
- Correlated leverage concentration. When many borrowers loop into the same collateral asset, simultaneous unwinding multiplies execution impact beyond what single-position history would suggest. Ten independent liquidations of $10M each typically clear more efficiently than one forced unwind of $100M into the same book.
- Rehypothecation depth. When collateral is itself a share token of another lending or yield strategy, a shock propagates through each layer — the cascade multiplier grows with each additional protocol in the dependency chain. A vault that accepts a wrapped LRT as collateral is implicitly taking on the recovery endogeneity of the LRT's underlying markets too.
Don't ask "what was the recovery in past stress?" Ask "what fraction of the liquidation pool is this vault responsible for, and how deep is the bid on the other side?" A well-collateralized vault with a concentrated collateral book and shallow exit venue is worse than a less-collateralized vault with diverse collateral and deep venues.
Liquidity stress index
How likely is utilization to hit the withdrawal-blocking ceiling within a given stress window?
Bank-run theory in TradFi leans on information asymmetry: individual depositors cannot easily observe what other depositors are doing, which dampens coordination and softens run incentives. Onchain state is fully public. Utilization, queue depth, collateral composition, and the identities of the largest depositors are all visible at the block level. What is probabilistic in TradFi — "will a run start?" — is close to deterministic in DeFi once the triggers align, because everyone sees the same state at the same time.
- Current utilization vs the withdrawal-blocking threshold (often 100%)
- Size and concentration of the depositor base
- Yield sustainability — how much of the current APR is emission-driven vs organic
- Upcoming calendar events (emission cliffs, unlocks, promotional periods ending)
Vaults leaning heavily on emission-driven yield face an extra run trigger when those emissions expire: the rate drops mechanically, marginal depositors leave, utilization climbs, and the remaining depositors face the same exit door through a narrower opening. Organic yield doesn't have this trigger in its calendar.
Oracle integrity
Two sub-channels: stale marks during drawdowns (oracle latency) and feasible manipulation of the reference source (oracle manipulation). Both are about the window between what the contract thinks a price is and what it actually is.
Oracle latency
What it corrects. Stale oracles during fast drawdowns let undercollateralized positions stay open past the point where they should have been liquidated. Worse, secondary actors can rationally borrow against those incorrect marks, accumulating bad debt the protocol has no claim on anyone to repay. Latency risk is structurally predictable from update frequency and the reference asset's realized volatility — it is not an "unknown unknown."
A 24-hour NAV oracle cadence on a stress-correlated synthetic stablecoin created a derivable false-solvency window. While market prices reflected the event in real time — RLP at $0.52, USR near $0.025 on Curve — the oracle continued reading $1.29 and ~$1.00 respectively. Borrowers rationally rotated into positions collateralized by the oracle-high, market-low tokens. The window wasn't bad luck; the oracle cadence vs. realized volatility made it arithmetically foreseeable.
Resolv case study source: Anastasiia (@mathy_research), Vault Summit April 2026.
For RWA-backed vaults, the oracle update mechanism is not a technical choice — it is a structural constraint of offchain attestation cadence. You cannot make an RWA feed tick every block if the underlying T-bill position is priced end-of-day. oracle latency may not be fully computable from onchain data for these vaults, and the right framing is often "RWA vaults are wearing this latency by design; the question is whether the LTV and liquidation buffer are sized to absorb it."
Oracle manipulation
What it corrects. Standard oracle risk analysis tends to look at volatility — "how noisy is this feed?" The right question is a threshold check: what is the cost to displace the oracle's reference market by enough to open the exploit, and does that cost fall below the manipulation payoff? A stable-but-thin market can be more manipulable than a volatile-but-deep one.
- Oracle update frequency and price deviation thresholds
- Realized volatility of the reference asset at the oracle's update cadence
- Depth of the oracle's reference market(s) — dollar cost to move the mark by the exploit threshold
- Feed redundancy: single source, median-of-N, TWAP across venues, circuit breakers
Execution viability (wrong-way risk)
When a position needs to be liquidated, can a liquidator actually execute the trade at a profit — given gas prices and MEV competition at that moment?
In stress, gas prices spike and MEV competition intensifies precisely when liquidations need to execute. Base-rate gas economics don't apply in the moments the liquidation incentive is tested. This is wrong-way risk in the classical credit sense: the probability of economic unviability is strictly higher conditional on stress than it is unconditionally. The variable you care about is negatively correlated with the scenario you're preparing for.
- Liquidation bonus (the incentive to the liquidator)
- Historical gas-price distribution, conditional on stress events on the same chain
- MEV competition on similar liquidation events (how much of the bonus accrues to the liquidator vs builders/relays)
- Position-size distribution in the vault — large positions need deeper venues to execute profitably
Raising the liquidation bonus is the obvious lever for execution viability: it increases the incentive for liquidators to show up in stress. But the same change worsens recovery endogeneity — every dollar of debt repaid seizes more collateral, amplifying execution impact on the exit venue. These two channels are not independent; they are linked through the parameter that governs both. A vault's liquidation bonus is a direct choice about how to split its Layer 1 risk between execution reliability and recovery quality.
The Vault Credit Score (VCS): one score, two operators
The five channels give you five numbers. A score compresses them into one. Anastasiia proposes two aggregation operators, and which one you use depends on what question you're answering.
Both operators start the same way: map each V-metric to a normalized value in [0, 1], where higher means lower risk (so "1" means the channel is robust; "0" means the channel has failed).
Additive (weighted average)
Right for routine dashboard monitoring when the five channels are partially independent. A weakness in one channel is offset in the score by strength in others, which is the behavior you want when the channels fail mostly independently. A pedagogical nod: the split-credit-ratings literature shows that averaging independent noisy estimates inherits an efficiency advantage over any single estimate — the same logic applies here when the stress regimes are genuinely uncorrelated.
Multiplicative (geometric)
By the AM-GM inequality, VCS_mult ≤ VCS_add always — weakly, with equality only when all V-scores are equal. Zero on any single metric forces the score to zero. This is the right behavior for correlated stress regimes, where a simultaneous collateral shock, depth depletion, and gas spike degrade all five channels jointly. In that world, a weak link breaks the chain, and the multiplicative operator honors that.
Additive for dashboards and ongoing monitoring. Multiplicative for formal stress assessment, risk limits, and go/no-go decisions. A vault can look healthy on the additive score and still be one liquidation event away from a zero on the multiplicative score.
The gap between them is itself a signal
A large gap between VCS_add and VCS_mult tells you something the additive score alone hides: the vault's risk is concentrated in one or two channels rather than spread evenly across five. The average is masking a weak link. When the gap widens, it usually means a single V-metric is approaching zero while the others are fine — which is exactly the profile that multiplicative scoring is designed to flag.
In practice, if you're only going to track one thing on a vault, track the ratio VCS_mult / VCS_add. It compresses into one number both "how good is this vault?" and "how concentrated is its risk?"
Scope and honest limits
VCS is a Layer 1 structural score. It does not answer:
- Whether the parameters are well-calibrated. A vault with a correctly normalized coverage score of 0.9 under one stress set might score 0.4 under a slightly harsher one. Stress-set design is a Layer 2 / governance-quality question, not a Layer 1 measurement.
- Whether the contracts are secure. If a Layer 3 failure (bug, exploit, unauthorized upgrade) is binding, these channel scores are informational only — the loss path is something they can't see. The DeFi Risk Methodology page covers the Smart Contract and Admin Architecture dimensions that score this.
- Whether Layer 3 is dominant in the first place. The dominance condition belongs earlier in the stack than any mechanical measurement. If your holding-horizon code-integrity failure probability exceeds expected mechanical loss, improving these channels doesn't reduce total expected loss — clearing Layer 3 does.
The right way to use VCS is as a conditional risk score: "given that the contracts execute as designed and the governance process behaves as expected, this is how the vault performs in stress." The full risk picture is VCS plus the Layer 2 and Layer 3 scores sitting on top of it.
A standard collateral ratio answers the question "what does the balance sheet show?" The five channels answer a different question: "what does the balance sheet show under the prices, depth, and gas environment the vault will actually face when stress arrives?" The two numbers are rarely the same. The difference between them is the credit risk that mechanical analysis surfaces and headline analysis misses.