TokenIntel's DeFi Risk Map grades each protocol on six dimensions: Smart Contract, Oracle, Governance, Liquidity, Economic, and Admin Architecture. Each dimension breaks down into three or four specific sub-criteria with explicit weights that sum to 100%. Each sub-criterion is scored 0 to 100 where lower is less risky. The dimension score is the weighted average of its sub-criteria. The overall protocol grade is the weighted average of dimension scores, converted to a letter (A to F).
Why publish the rubric?
Most DeFi risk scoring frameworks give you a single letter or number with minimal explanation of how it was computed. "Aave has an A rating" tells you almost nothing: what if audit coverage is strong but admin controls are weak? What if the protocol is immutable but depends on six off-chain custodians? A single aggregate number hides the tradeoffs that actually matter for a position decision.
TokenIntel takes the opposite approach. We decompose every dimension into specific sub-criteria, publish the weights, and show each sub-score individually on every protocol's Risk Map row. If you disagree with our weighting, you can reweight it yourself. If you think our score for a specific sub-criterion is wrong, you can see exactly which one and challenge it.
This framework is inspired by YieldCompass's DeFi strategy risk methodology, which pioneered this decomposition approach for Solana yield strategies. We adapted their ideas to TokenIntel's protocol-level scope and added TI-specific dimensions like Admin Architecture, which became more important after the April 2026 Drift Protocol exploit.
Scoring scale and letter grades
Every sub-criterion and dimension uses the same 0 to 100 scale where lower scores mean less risk. A sub-criterion score of 20 represents a protocol at low risk on that specific axis; a score of 80 represents a protocol that fails that check materially.
Dimension scores are the weighted average of their sub-criteria. The overall protocol risk score is the weighted average of the six dimension scores (weighted 20/15/15/15/15/20, see below). That 0 to 100 aggregate is mapped to a letter grade:
We deliberately use coarse grades and round sub-scores to multiples of 5. Finer scales suggest precision we do not have. A 27 and a 31 on the same sub-criterion both mean "low moderate risk" in practice, but users anchor on the exact number and treat small differences as meaningful. Coarse grades force honest, defensible scoring and make cross-protocol comparison easier.
The six dimensions and their sub-criteria
Each dimension is scoped to avoid overlap. Smart Contract covers the protocol's own code. Counterparty dependencies on external oracles, bridges, or custodians roll up under Oracle, Liquidity, or Admin Architecture as appropriate. Here is the full rubric.
1. Smart Contract
Dimension weight: 20%Risk from bugs, exploits, or operational failures in the protocol's own fund-handling contracts. Higher weight than most other dimensions because smart contract failure is the fastest path to total loss.
| Sub-criterion | Weight | What we evaluate |
|---|---|---|
| Audit Coverage & Depth | 30% | Count and depth of independent audits on contracts handling user funds. Bonus credit for formal verification and active bug bounty programs. |
| Hack History | 25% | Past exploits or critical incidents affecting user funds, weighted by recency, severity, and quality of remediation. |
| Version Lindy | 20% | How long the currently deployed fund-handling contracts have operated without critical failure. Not protocol age: if the vault contract was redeployed last month, Lindy is measured from then, not from the protocol's launch. |
| Upgradeability & Control | 25% | Immutable vs upgradeable contracts, who controls upgrade authority, and whether unilateral modification of user-critical logic is possible. |
2. Oracle
Dimension weight: 15%Risk from reliance on external or internal price feeds. A wrong price is indistinguishable from a wrong balance to most protocols.
| Sub-criterion | Weight | What we evaluate |
|---|---|---|
| Oracle Architecture | 40% | Quality and diversity of price feed architecture. Chainlink multi-source preferred over single-source TWAPs or proprietary feeds. |
| Manipulation Resistance | 30% | Resistance to flash loan manipulation and MEV extraction. Heartbeat, staleness checks, and sanity bounds. |
| Fallback & Override | 30% | Presence of circuit breakers, fallback oracles, and emergency override authority when price feeds misbehave. |
3. Governance
Dimension weight: 15%Risk from how decisions are made and executed. Even a perfectly audited contract is only as safe as the process that decides what code runs next.
| Sub-criterion | Weight | What we evaluate |
|---|---|---|
| Upgrade Authority | 40% | Who can push code changes. Timelock length, quorum requirements, and whether approval requires multi-entity sign-off. |
| Multisig & Key Custody | 30% | Multisig signer count, threshold, and diversity. Independent signers preferred over team-only. |
| Emergency Powers | 30% | Scope of unilateral pause, freeze, or recovery capabilities. Who holds them and under what conditions. |
4. Liquidity
Dimension weight: 15%Risk from being unable to exit a position when you want to. High displayed TVL means nothing if withdrawals are gated or slippage is catastrophic at size.
| Sub-criterion | Weight | What we evaluate |
|---|---|---|
| Exit Depth | 40% | Slippage impact for large withdrawals. TVL relative to single-position exit size. |
| Withdrawal Constraints | 30% | Cooldowns, queues, withdrawal caps, and processing delays before funds are available. |
| Redemption Model | 30% | Instant on-chain redemption vs epoch-based vs reliance on secondary market liquidity. |
5. Economic
Dimension weight: 15%Risk that the protocol's economic model cannot sustain its own returns. Yield from genuine fees is durable; yield from emissions is a countdown timer.
| Sub-criterion | Weight | What we evaluate |
|---|---|---|
| Revenue Durability | 40% | Real fees from genuine usage vs emissions or subsidies. Would the yield exist without the token? |
| Incentive Dependence | 30% | Fraction of displayed APY driven by temporary incentives, points, or token emissions rather than protocol revenue. |
| Token Capture Mechanism | 30% | Does the token have a mechanism (fee switch, buyback, burn) that routes real protocol revenue to holders? |
6. Admin Architecture
Dimension weight: 20%Risk from how administrative powers are scoped and custodied. This dimension was added after the April 2026 Drift Protocol attack, where $285M was drained in 12 minutes via 31 withdrawals using privileged access. A perfectly audited contract with a compromised admin key is still a zero.
| Sub-criterion | Weight | What we evaluate |
|---|---|---|
| Key Custody Model | 30% | EOA vs multisig vs timelocked DAO controls. Separation of pause, parameter, and upgrade powers. |
| Signer Diversity | 25% | Independent signers across organizations vs team-only. Public identities preferred over anonymous. |
| Action Scope | 25% | What admin can change. Parameter-only changes are lower risk than arbitrary code upgrades or treasury access. |
| Risk Oversight | 20% | External risk advisory (Chaos Labs, Gauntlet, BlockScience) and maturity of incident response procedures. |
Three additional checks on every protocol
Beyond the six scored dimensions, we track three binary and quantitative checks on every protocol research page. These are not weighted into the aggregate score because they are effectively red flags: a protocol that fails any of them has a structural problem regardless of its dimension scores.
What this framework does not capture
We are explicit about the limits of the rubric so users can apply it appropriately:
- Regulatory risk varies by jurisdiction and changes faster than quarterly re-scoring can capture. We flag major regulatory actions on individual research pages as they happen.
- Systemic contagion (what happens if a depeg cascades through 10 protocols that share collateral types) is not directly scored. Oracle and Liquidity sub-criteria cover the proximate risks; true contagion requires separate stress-test analysis.
- Insurance and cover costs are not in the rubric. A protocol with expensive Nexus Mutual cover is signaling higher perceived risk from specialist underwriters, which is information we recommend users incorporate separately.
- Team reputation and off-chain conduct are partially captured in Governance and Signer Diversity sub-criteria but not exhaustively. We do not score team members individually.
How scores are updated
Sub-criteria and dimension scores are reviewed on an ongoing basis. Changes are logged in the defi-risk-scores.json source file with a bumped lastUpdated date. Major changes (Chaos Labs departing Aave, Drift being attacked, a new audit round published) trigger same-day re-scoring. Minor drift is re-evaluated weekly.
The framework itself is versioned. The current version (v2) was published in April 2026 after decomposing the original six-dimension aggregate scores into the twenty sub-criteria documented here.
See the framework in action
Every protocol on the DeFi Risk Map has its six dimension scores and twenty sub-criteria visible in context.
Open the DeFi Risk Map →