TL;DR
For an ERC-4626 vault, the share price is the depositor's mark-to-market. When it falls below entry, the depositor takes a loss that reflects a shortfall inside the vault. Every input to that shortfall, oracle prices, liquidation execution, available pool depth, gas costs, network congestion, is endogenous to the vault's mechanical environment. None are fixed. Several are adversarially targeted in stress.
The framework from Anastasiia (@mathy_research), "DeFi Lending Credit Risk: A Three-Part Framework" (Vault Summit, April 2026), measures these mechanical channels directly across five dimensions. It is not a replacement for standard credit-risk analysis, it is a correction for the parts standard analysis assumes away.
(1) As a depositor, to stress-test a vault before putting capital into it. (2) As a curator or risk manager, to pressure-test your own parameterization. (3) As a reader of a TI research page, to understand why our Oracle, Liquidity, and Economic sub-scores on the DeFi Risk Methodology page exist in the first place, they are the same mechanical channels described here, scored at the protocol rather than the vault level.
Why mechanical risk needs its own framework
TokenIntel's DeFi Risk Methodology follows Anastasiia's three-layer taxonomy: mechanical risk (Layer 1), governance risk (Layer 2), and code-integrity risk (Layer 3). This page focuses exclusively on Layer 1, the losses a vault can take while the contracts work as designed and the governance process behaves as expected. The five channels below do not score audit depth, upgrade authority, parameter-setting quality, or bridge dependencies. Those live in the other two layers.
A single ordering rule governs all of it, and it is easy to get wrong: measure Layer 3 first. If annualized code-integrity failure probability over your horizon exceeds the expected Layer 1 loss over the same horizon, tuning the mechanical channels is not rank-ordering your risk, it is rearranging deck chairs on a boat whose dominant failure mode is something else entirely. Clear Layer 3, then measure Layer 1.
A liquidation that executes at 3% below the oracle mark because the DEX pool is thin is mechanical. An oracle that reads $1.00 for a stablecoin trading at $0.025 on Curve is also mechanical, the contract is working exactly as it was configured to work; the loss comes from the configuration itself meeting an adversarial environment. Mechanical does not mean "small" or "benign." It means "arises from the system operating as designed under stress."
The five metrics
Each metric corrects a specific simplification that traditional credit-risk analysis carries over into DeFi without checking whether the simplification still holds. The attributions below summarize Anastasiia's framing; the intuition and worked examples are TI's.
Stress-adjusted asset coverage
What does the collateral ratio actually cover at the prices a liquidation will receive, not at the prices the oracle reports?
Standard credit-risk analysis divides collateral by liabilities at mark prices and pronounces anything above 1.0 "overcollateralized." That arithmetic assumes the mark is what the vault realizes on liquidation. In DeFi it often isn't. In stress, realized execution can fall below oracle marks by more than the coverage buffer, so a vault can look comfortably overcollateralized on any standard ratio and be structurally insolvent at the prices the collateral actually clears at.
- Collateral composition by asset, weighted by position size
- Historical realized-vs-oracle execution gaps on the liquidation venues the protocol routes to
- A defined stress set (e.g., collateral price shock, depth depletion, congestion) against which coverage is recomputed
The reading that matters is the worst-case effective coverage across your stress set, not the best-case or the average. If any single scenario pulls effective coverage below 1.0, the vault has structural exposure in that scenario, full stop. A vault that looks 1.25 covered on paper can be 0.92 covered in a realistic stress, and the honest reading is the 0.92.
Recovery endogeneity
The more collateral a vault has to liquidate, the worse the price it gets. Loss-given-default is a function of how much is being liquidated, not a fixed haircut.
Traditional LGD uses a historical haircut from past recoveries, a fixed number, applied linearly. That assumes a single liquidation doesn't move the market. DeFi liquidations route through onchain venues with finite depth: larger liquidation = worse execution = lower recovery = larger shortfall. Expected shortfall is nonlinear (superlinear) in liquidation mass, not proportional to it.
- Correlated leverage concentration. When many borrowers loop into the same collateral asset, simultaneous unwinding multiplies execution impact beyond what single-position history would suggest. Ten independent liquidations of $10M each typically clear more efficiently than one forced unwind of $100M into the same book.
- Rehypothecation depth. When collateral is itself a share token of another lending or yield strategy, a shock propagates through each layer, the cascade multiplier grows with each additional protocol in the dependency chain. A vault that accepts a wrapped LRT as collateral is implicitly taking on the recovery endogeneity of the LRT's underlying markets too.
Don't ask "what was the recovery in past stress?" Ask "what fraction of the liquidation pool is this vault responsible for, and how deep is the bid on the other side?" A well-collateralized vault with a concentrated collateral book and shallow exit venue is worse than a less-collateralized vault with diverse collateral and deep venues.
Liquidity stress index
How likely is utilization to hit the withdrawal-blocking ceiling within a given stress window?
Bank-run theory in TradFi leans on information asymmetry: individual depositors cannot easily observe what other depositors are doing, which dampens coordination and softens run incentives. Onchain state is fully public. Utilization, queue depth, collateral composition, and the identities of the largest depositors are all visible at the block level. What is probabilistic in TradFi, "will a run start?", is close to deterministic in DeFi once the triggers align, because everyone sees the same state at the same time.
- Current utilization vs the withdrawal-blocking threshold (often 100%)
- Size and concentration of the depositor base
- Yield sustainability, how much of the current APR is emission-driven vs organic
- Upcoming calendar events (emission cliffs, unlocks, promotional periods ending)
Vaults leaning heavily on emission-driven yield face an extra run trigger when those emissions expire: the rate drops mechanically, marginal depositors leave, utilization climbs, and the remaining depositors face the same exit door through a narrower opening. Organic yield doesn't have this trigger in its calendar.
Oracle integrity
Two sub-channels: stale marks during drawdowns (oracle latency) and feasible manipulation of the reference source (oracle manipulation). Both are about the window between what the contract thinks a price is and what it actually is.
Oracle latency
What it corrects. Stale oracles during fast drawdowns let undercollateralized positions stay open past the point where they should have been liquidated. Worse, secondary actors can rationally borrow against those incorrect marks, accumulating bad debt the protocol has no claim on anyone to repay. Latency risk is structurally predictable from update frequency and the reference asset's realized volatility, it is not an "unknown unknown."
A 24-hour NAV oracle cadence on a stress-correlated synthetic stablecoin created a derivable false-solvency window. While market prices reflected the event in real time. RLP at $0.52, USR near $0.025 on Curve, the oracle continued reading $1.29 and ~$1.00 respectively. Borrowers rationally rotated into positions collateralized by the oracle-high, market-low tokens. The window wasn't bad luck; the oracle cadence vs. realized volatility made it arithmetically foreseeable.
Resolv case study source: Anastasiia (@mathy_research), Vault Summit April 2026.
For RWA-backed vaults, the oracle update mechanism is not a technical choice, it is a structural constraint of offchain attestation cadence. You cannot make an RWA feed tick every block if the underlying T-bill position is priced end-of-day. oracle latency may not be fully computable from onchain data for these vaults, and the right framing is often "RWA vaults are wearing this latency by design; the question is whether the LTV and liquidation buffer are sized to absorb it."
Oracle manipulation
What it corrects. Standard oracle risk analysis tends to look at volatility, "how noisy is this feed?" The right question is a threshold check: what is the cost to displace the oracle's reference market by enough to open the exploit, and does that cost fall below the manipulation payoff? A stable-but-thin market can be more manipulable than a volatile-but-deep one.
- Oracle update frequency and price deviation thresholds
- Realized volatility of the reference asset at the oracle's update cadence
- Depth of the oracle's reference market(s), dollar cost to move the mark by the exploit threshold
- Feed redundancy: single source, median-of-N, TWAP across venues, circuit breakers
Execution viability (wrong-way risk)
When a position needs to be liquidated, can a liquidator actually execute the trade at a profit, given gas prices and MEV competition at that moment?
In stress, gas prices spike and MEV competition intensifies precisely when liquidations need to execute. Base-rate gas economics don't apply in the moments the liquidation incentive is tested. This is wrong-way risk in the classical credit sense: the probability of economic unviability is strictly higher conditional on stress than it is unconditionally. The variable you care about is negatively correlated with the scenario you're preparing for.
- Liquidation bonus (the incentive to the liquidator)
- Historical gas-price distribution, conditional on stress events on the same chain
- MEV competition on similar liquidation events (how much of the bonus accrues to the liquidator vs builders/relays)
- Position-size distribution in the vault, large positions need deeper venues to execute profitably
Raising the liquidation bonus is the obvious lever for execution viability: it increases the incentive for liquidators to show up in stress. But the same change worsens recovery endogeneity, every dollar of debt repaid seizes more collateral, amplifying execution impact on the exit venue. These two channels are not independent; they are linked through the parameter that governs both. A vault's liquidation bonus is a direct choice about how to split its Layer 1 risk between execution reliability and recovery quality.
The five channels in the wild: a 2025-2026 incident catalog
The channels are abstractions. They become concrete in the incidents that actually cost depositors money over the past year. Each of the five recent stress events below maps cleanly onto one or more V-channels, and reading them as channel exposures (rather than as one-off accidents) is the point of the framework. Where an incident touches multiple channels, those are the multiplicative interactions a multiplicative VCS would have flagged.
Stream Finance / xUSD collapse (November 2025)
Channels exposed: V1 (coverage), V3 (liquidity), V4 (oracle). xUSD was a synthetic stablecoin accepted as collateral across Morpho and Euler vaults, holding $520M in TVL backed by only $160M in actual user deposits. The protocol was running roughly 3.25x leverage at the structural level before any individual user looped. When an external fund manager lost $93M, the asset depegged on secondary markets to a 70-80% discount, but the xUSD oracle feeds stayed pegged to $1, blocking the liquidations that would have contained losses (V4 latency). Vault utilization hit 100% as depositors raced for the exits (V3 stress), and stress-effective coverage on positions backed by xUSD collapsed (V1). Direct loss was $93M; ecosystem cascade through curator-managed vaults pushed total impact into the hundreds of millions. (Source: Castle Labs, "Vaultification of Finance," May 2026.)
Resolv / USR exploit (March 2026)
Channels exposed: V1 (coverage), V4 (oracle). An attacker minted roughly 80M unbacked USR tokens through a compromised signing key with only ~$100K-$200K of real collateral. USR and wstUSR depegged on secondary markets immediately, but Morpho and Fluid continued valuing wstUSR near the pre-depeg oracle price of ~$1.13. Traders bought cheap USR on the open market and deposited it at face value to drain the affected vaults. Bad debt cascaded across 15 Morpho vaults (~$10M) plus ~$21M on Fluid. The pre-existing Resolv worked example under V4 above covers the oracle-latency mechanism; this entry adds the cross-protocol fan-out: 16+ vaults across two protocols absorbed loss from a single oracle-stale window. (Source: Castle Labs, May 2026.)
Aave wstETH CAPO incident (March 2026)
Channels exposed: V4 (oracle), V2 (recovery). Aave's CAPO risk oracle priced wstETH at ~1.19 ETH while the market was at ~1.23 ETH, a 3.3% gap. The pricing error triggered the liquidation of 34 fully-collateralized accounts in a single block, generating $27.78M in erroneous liquidations before the error was corrected. The protocol mechanically did exactly what it was configured to do; the oracle just told it wrong (V4). Recovery endogeneity (V2) compounded the loss because the affected positions had to clear into the same block-level execution environment that liquidations under genuine stress would. The combined exposure is the right reading: a single channel weakness, in this case V4, triggered cross-channel propagation. (Source: Castle Labs, May 2026.)
JELLY incident on Hyperliquid HLP (Q1 2026)
Channels exposed: V5 (execution viability), V2 (recovery endogeneity). An attacker opened $4.05M in longs and a $4.1M short on JELLY at 20x leverage, covering roughly 40% of the token's circulating supply, then pumped JELLY spot across exchanges to liquidate their own short and trap the HLP on the losing side. HLP could not clear the position in the open market (V5 execution viability under stress, V2 recovery endogeneity at the limit of a thin venue). Hyperliquid's team manually delisted JELLY, closing the short for a $700K gain and avoiding a worst-case loss of more than $13M. The clean V5/V2 reading: when execution viability requires an action the smart contract cannot autonomously take, human override becomes the recovery mechanism, and the "decentralized" framing shows its limits. (Source: Castle Labs, May 2026.)
Venus zkSync wUSDM Donation Attack (March 2025)
Channels exposed: V1 (coverage), via an ERC-4626 mechanical pathway. An attacker exploited the share-rounding edge case in ERC-4626's standard implementation. By depositing 1 wei to a fresh vault to mint 1 share, then directly transferring (not depositing) a large amount of the underlying asset, the attacker inflated the share-to-asset ratio so that subsequent depositors below the threshold minted zero shares due to integer rounding and their assets accrued to the existing share pool, which the attacker controlled entirely. Roughly $700K of wUSDM was extracted before mitigations were applied. Strictly speaking this is a code-pathway attack rather than a mechanical V1 failure, but its effect on depositor coverage is identical: deposit assets, get zero share value back. The mitigation is internal balance tracking inside the vault rather than reading the underlying token balance at deposit time. (Source: Castle Labs, May 2026.)
Across these five incidents, V4 (oracle) appears in three, V1 (coverage) in three, V2 and V3 in two each, V5 in one. That distribution is not a coincidence. Oracle failures are the dominant published-loss channel in 2025-2026 because curators frequently choose hardcoded or low-cadence oracles to avoid false-positive liquidations on stablecoin collateral, which converts a small noise problem into a large tail problem. The empirical takeaway: a curator's oracle choice is the single highest-leverage decision in their parameter set, and a depositor's first question of any vault should be the same one. Castle Labs' May 2026 report and Anastasiia's framework converge on this independently from different angles.
The Vault Credit Score (VCS): one score, two operators
The five channels give you five numbers. A score compresses them into one. Anastasiia proposes two aggregation operators, and which one you use depends on what question you're answering.
Both operators start the same way: map each V-metric to a normalized value in [0, 1], where higher means lower risk (so "1" means the channel is robust; "0" means the channel has failed).
Additive (weighted average)
Right for routine dashboard monitoring when the five channels are partially independent. A weakness in one channel is offset in the score by strength in others, which is the behavior you want when the channels fail mostly independently. A pedagogical nod: the split-credit-ratings literature shows that averaging independent noisy estimates inherits an throughput advantage over any single estimate, the same logic applies here when the stress regimes are genuinely uncorrelated.
Multiplicative (geometric)
By the AM-GM inequality, VCS_mult ≤ VCS_add always, weakly, with equality only when all V-scores are equal. Zero on any single metric forces the score to zero. This is the right behavior for correlated stress regimes, where a simultaneous collateral shock, depth depletion, and gas spike degrade all five channels jointly. In that world, a weak link breaks the chain, and the multiplicative operator honors that.
Additive for dashboards and ongoing monitoring. Multiplicative for formal stress assessment, risk limits, and go/no-go decisions. A vault can look healthy on the additive score and still be one liquidation event away from a zero on the multiplicative score.
The gap between them is itself a signal
A large gap between VCS_add and VCS_mult tells you something the additive score alone hides: the vault's risk is concentrated in one or two channels rather than spread evenly across five. The average is masking a weak link. When the gap widens, it usually means a single V-metric is approaching zero while the others are fine, which is exactly the profile that multiplicative scoring is designed to flag.
In practice, if you're only going to track one thing on a vault, track the ratio VCS_mult / VCS_add. It compresses into one number both "how good is this vault?" and "how concentrated is its risk?"
Scope and honest limits
VCS is a Layer 1 structural score. It does not answer:
- Whether the parameters are well-calibrated. A vault with a correctly normalized coverage score of 0.9 under one stress set might score 0.4 under a slightly harsher one. Stress-set design is a Layer 2 / governance-quality question, not a Layer 1 measurement.
- Whether the contracts are secure. If a Layer 3 failure (bug, exploit, unauthorized upgrade) is binding, these channel scores are informational only, the loss path is something they can't see. The DeFi Risk Methodology page covers the Smart Contract and Admin Architecture dimensions that score this.
- Whether Layer 3 is dominant in the first place. The dominance condition belongs earlier in the stack than any mechanical measurement. If your holding-horizon code-integrity failure probability exceeds expected mechanical loss, improving these channels doesn't reduce total expected loss, clearing Layer 3 does.
The right way to use VCS is as a conditional risk score: "given that the contracts execute as designed and the governance process behaves as expected, this is how the vault performs in stress." The full risk picture is VCS plus the Layer 2 and Layer 3 scores sitting on top of it.
A standard collateral ratio answers the question "what does the balance sheet show?" The five channels answer a different question: "what does the balance sheet show under the prices, depth, and gas environment the vault will actually face when stress arrives?" The two numbers are rarely the same. The difference between them is the credit risk that mechanical analysis surfaces and headline analysis misses.
The rating-agency layer is forming
A depositor running this framework manually for every vault they consider is not a scalable model. The natural next step is third-party rating: someone else computes a comparable score across vaults, the depositor consumes the rating, and the parameter-by-parameter analysis becomes an audit on the rating agency rather than on each vault. This is how TradFi credit works (S&P, Moody's, Fitch), and an analogous layer is emerging for onchain vaults. None of the firms below are yet at coverage-and-credibility parity with the TradFi incumbents, but each is building a piece of the eventual rating stack.
- Xerberus. Risk ratings for digital assets including vaults. IPOR Fusion vaults are or will be independently risk-rated by Xerberus, providing the third-party verification leg that institutional allocators require before deploying capital.
- Credora. Credit-rating infrastructure originally built for centralized lending counterparties, extending into onchain vault rating. Methodology decomposes each strategy and assigns scores per risk factor.
- Firelight (incubated by Sentora). Risk pricing and insurance products as infrastructure, providing ratings for digital assets including vaults.
- Securitize Vault Registrar. Third-party NAV reporting on tokenized funds, plus an ERC standard mapping each investor to their identity for RWA-in-DeFi compliance. Different layer (identity + NAV) but feeds rating workflows.
- Sentora discovery and risk monitoring. Built on top of Upshift vaults; surfaces risk metrics for the broader vault ecosystem rather than just one curator's products.
- Blockworks vault credit scoring. Develops a standardized framework with the same three-layer structure as Anastasiia's: Mechanical Loss, Governance Quality, and Infrastructure and Code Integrity. Independent convergence on the same taxonomy is mild evidence the taxonomy is the right one.
The market for vault ratings is fragmented, lightly governed, and economically smaller than the asset base it nominally covers. Insurance limits across the ecosystem (Nexus Mutual is the largest onchain provider) remain very small relative to vault TVL, which means a depositor cannot currently buy meaningful coverage as a substitute for doing the diligence themselves. Read the rating agency layer as forming, not formed.
This page focuses on Layer 1 (mechanical) risk inside a single vault. The complementary view, the structural risks that arise from the curated-vault industry as a whole (curator-level concentration, fiduciary-duty gap, regulatory perimeter, single-curator failure mode that vault-level isolation does not address), lives on The Curator Economy. That page also includes a seven-category vault-risk taxonomy from Castle Labs that overlaps with but is not the same as the five mechanical channels here: their taxonomy is descriptive (what kind of incident), while this one is structural (what part of the vault's machinery the loss flows through). Two complementary lenses on the same product surface.