Docs›Vault Risk Intelligence

Vault Risk Intelligence

Webacy continuously scores 2,800+ DeFi vaults across Ethereum, Arbitrum, Base, Optimism, Polygon, and BSC. Every vault gets a composite risk score, a listing verdict, real-time withdrawal signals, and a 90-day history.

2,800+

Vaults scored

Chains covered

~5 min

Price freshness

90 days

Score history

24/7

Monitoring

Listing Verdict

Every vault receives a listing_verdict — a clear signal for teams deciding whether to integrate, list, or accept a vault as collateral. It's computed from the composite risk score plus hard blocking conditions, updated with every data refresh.

Verdict	When	What it means
Safe to list	Score < 30, no blocking flags	Structurally sound with no critical findings — suitable for listing or integration.
Caution	Score 30–54	Moderate structural risk — list with active monitoring and exposure limits.
Review required	Score 55–74	Elevated risk — manual security review recommended before proceeding.
Do not list	Score ≥ 75 or blocking flag present	Critical structural issue — do not list. Blocking flags: `redemption_closed`, `dormant`, `unverified`.

Available via GET /api/vaults → listing_verdict field on each vault item.

Withdrawal Risk

The withdrawal_risk field tells you how freely users can exit a vault right now. For Morpho vaults, utilization is fetched live every ~5 minutes, so this signal reflects actual on-chain liquidity — not yesterday's data.

blocked

Redemptions are disabled at the contract level. No withdrawals possible.

locked

Lockup period > 7 days. Funds cannot be withdrawn until the lockup expires.

high_utilization

Morpho utilization > 95%. Most assets are currently borrowed — partial exits available, full exit requires waiting for borrowers to repay.

constrained

Morpho utilization 85–95%. Partial liquidity available; large withdrawals may fail.

delayed

Withdrawal delay or timelock is set. Exits require a waiting period before execution.

Real-Time Data Signals

Several signals are fetched live at request time and overlaid on top of nightly pipeline data. This means the dashboard reflects current on-chain conditions, not just yesterday's snapshot.

Signal	Source	Freshness	Coverage
Share price	DeFiLlama coins API	~5 min	~18% of vaults (those with DEX liquidity)
Morpho utilization rate	Morpho Blue GraphQL	~5 min	All Morpho vaults
Vault score (utilization)	Recomputed from live utilization	~5 min	All Morpho vaults
Withdrawal risk level	Live utilization + stored flags	~5 min	All vaults

Price indicator: A green dot (●) next to a share price means DeFiLlama provided a live quote. A grey dot means the price is from the last nightly pipeline run. Prices above $500 or equal to zero are treated as bad data and shown as —.

Score History & Trends

Every vault detail page includes a 90-day score sparkline so you can see whether a vault is improving, degrading, or stable over time. The delta badge shows the score change vs 30 days ago.

Each daily snapshot records:

• Risk score (0–100)

• Tier (low / medium / high / critical)

• Active risk flags

• Share price

• Looping exposure %

History endpoint: GET /api/vaults/[chain:address]/history — returns up to 90 snapshots.

Share Price & Depeg Signals

last_share_price is the vault token price in USD. For yield-bearing vaults — sDAI, sUSDe, Yearn, Fluid — the share price legitimately drifts above $1 as yield accumulates. This is expected behaviour, not a risk signal. Depeg flags only fire when the price falls meaningfully below par.

Red — Depeg

Price < $0.97

≥ 3% below peg. Score penalty applied.

Amber — Watch

$0.97 – $1.00

Minor deviation. Monitor closely.

Normal

≥ $1.00

Healthy or yield-accumulating.

Risk Score Methodology

The composite score (0–100) is a weighted sum of sub-scores. Higher = riskier. The score feeds directly into the listing verdict and tier.

Sub-Score	Weight	What it measures
Protocol risk	15%	Trading Strategy label: Blacklisted / Severe / Dangerous / High / Unknown
Closed liquidity	12%	Deposits or redemptions currently closed — curator-intentional vs utilization-driven distinguished
Centralization	12%	EOA owner, pause capability, admin key concentration, strategy manager
Code	10%	Contract verification + audit count. Unverified: +65 sub-score. Zero audits: +30. Each audit: −15 reduction (cap −30). See thresholds below.
Upgrade risk	10%	Proxy upgradeability, beacon patterns, delegatecall
Utilization	10%	Market utilization rate — nonlinear; ≥95% functionally locks users out (live for Morpho)
Strategy	5%	External strategies, leverage complexity, nesting
Depeg	5%	Active share price loss signal; hard state floors supplement
Asset quality	5%	Collateral classification — USR collapse was an asset-layer failure
Looping	4%	Recursive lending exposure — cascade amplifier during depeg events
Oracle	3%	Oracle type quality, TWAP vs spot, price deviation
Maturity	3%	Vault age < 6 months
Webacy code risk	2%	Reentrancy, unchecked calls, malicious external calls
Audit recency	3%	Time since last security audit — 4 tiers: Fresh (<6mo) → 5, Moderate (6-18mo) → 10-30, Aging (18-36mo) → 30-60, Stale (>3yr) → 70. Reputable firm bonus: −10 (≥1 firm), −20 (≥3 firms).
Size	2%	Low TVL = fragility and lower liquidity buffer
TVL outflow	2%	Capital flight signal from negative TVL trend

Additive penalties & hard state floors — certain conditions add a flat penalty on top of the weighted score and/or enforce a minimum score floor regardless of the weighted sum:

Blacklisted protocol → score ≥ 85
Active depeg (share price < $0.97) → score ≥ 70
Exchange rate spike (donation attack pattern) → score ≥ 70
Exchange rate crash (exploit in progress) → score ≥ 65
Yield trap (illiquid + reward-dependent APY >70%) → +15 penalty, floor ≥ 65
ERC-4626 donation risk (vault used as lending oracle) → +15 penalty
Shared collateral exposure (contagion from flagged collateral) → +10 penalty
Concentrated borrower + high utilization (exit depends on one whale) → +10 penalty
Redemption closed (curator-intentional only) → +25 penalty, floor ≥ 75. Utilization-driven maxRedeem=0 is excluded.
Unverified contract → floor ≥ 80
Dormant vault (very low event count, not curator-active) → floor ≥ 75
Zeroed signals (inactivity, drawdown, momentum, volatility, etc.) still contribute via additive penalties when their binary condition is active.

Code sub-score thresholds (current) — the Code sub-score (10% weight) combines contract verification and audit count:

Unverified contract → +65 to code sub-score (MetaMorpho proxy vaults exempt if implementation is verified)
Zero audits confirmed → +30 to code sub-score
1 audit on record → −15 reduction (net code sub-score ≈ 0 for verified vaults)
2+ audits → −15 per audit, capped at −30 total reduction
Unaudited upgrade → additional +20 additive penalty when contract upgraded in last 30d AND zero audits

Audit recency scoring (live): when last audit date is available, graduated recency scoring applies:

Fresh (< 6 months old) → code sub-score ≈ 5 — recently reviewed, low code risk
Moderate (6–18 months) → 10–30 — still relevant but aging
Aging (18–36 months) → 30–60 — elevated; new attack surface may be unreviewed
Stale (> 3 years) → 70 — equivalent to no_audits for practical purposes
Audits by reputable firms (Trail of Bits, OpenZeppelin, Spearbit, Pashov, etc.) within last 12 months apply up to −20 reduction
Recent upgrade + stale audit (last audit > 6 months old) → additional +15 penalty for unreviewed upgrade code

Architecture-specific scoring rules — certain vault architectures require adjusted signal interpretation:

MetaMorpho vaults — vault-level utilization = deployment rate (assets allocated to Morpho markets), NOT exit liquidity risk. When morpho_liquidity = 0 (markets are liquid), both utilization and utilisation_risk sub-scores are zeroed to avoid double-penalizing deployment rate as a withdrawal risk.
Perp/DEX trading vaults — share price reflects P&L, not stablecoin peg. The depeg sub-score is suppressed for vaults tagged perp_dex_trading_vault; a share price below $0.99 is expected behavior, not a depeg signal.
Curator-active vaults — inactivity/dormant flags are suppressed for vaults with confirmed recent curator activity (rebalancing, allocation changes). Event count alone undercounts activity for programmatic allocators.
EulerEarn and Pendle vaults — Same utilisation zero-out as MetaMorpho: vault-level utilization represents deployment rate to underlying markets, not exit liquidity risk. When morpho_liquidity = 0, both utilization and utilisation_risk sub-scores are zeroed. Detected via ts_feature_tags (euler_earn_like, pendle_*).
Pendle PT vaults — Principal Token share prices trade at a natural discount before maturity (converging to par). A pre-maturity discount under 30% is structural, not a depeg signal. The depeg sub-score is only triggered if share price falls below $0.70 (anomalous). Pendle maturity deposit closure scores as capacity-constrained (10 points) not curator-intentional (40 points).
Strategy/keeper vaults (Yearn V2/V3, Harvest, etc.) — Low Trading Strategy event_count reflects user-facing deposit/withdraw events, not keeper harvest() calls. Inactivity and dormant flags are suppressed for vaults with architecture = "strategy" to avoid false positives from programmatic allocators. Harvest inactivity is scored separately via days_since_harvest using graduated tiers: < 30 days → no penalty; 30–60 days → +10 penalty, harvest_slow flag; 60–90 days → +25 penalty, harvest_stale flag; ≥ 90 days → full inactivity penalty, harvest_dormant flag. When days_since_harvest is null (data unavailable), the harvest penalty is suppressed entirely.

Risk Tiers

Low

Score < 25

Structurally sound. Minor risks only.

Medium

25 ≤ Score < 50

Moderate risk. Monitor key signals.

High

50 ≤ Score < 75

Elevated risk. Review before listing.

Critical

Score ≥ 75

Critical structural issue. Do not list.

Letter Grades

Each vault receives a letter grade (A–F) derived from its composite risk score. Grades are the inverse of risk — A is safest, F is most dangerous. The expected capital-at-risk ranges are calibrated against historical DeFi exploit loss data.

Score 0–19

< 5% est. capital-at-risk

Suitable for risk-sensitive allocations.

Score 20–39

5–20% est. capital-at-risk

Suitable for moderate-risk allocations. Monitor key flags.

Score 40–59

20–40% est. capital-at-risk

Elevated risk. Consider smaller position and active monitoring.

Score 60–74

40–65% est. capital-at-risk

High risk. Avoid for risk-sensitive depositors.

Score 75–100

> 65% est. capital-at-risk

Critical structural issue. Do not list / exit recommended.

Letter grades align with risk tiers: A maps to Low, B spans Low/Medium, C spans Medium/High, D maps to High, and F maps to Critical. Thevault_grade field is available on all vault records alongside the numeric vault_score (0–100).

Monitoring Status

Each vault is assigned a monitoring_status derived from TVL and trend data. Legacy and deprecated vaults are hidden by default in the dashboard (toggle with 'Show legacy (N)').

Status	Condition	What it means
`active`	TVL ≥ $500K and no severe trend decline	Fully monitored and shown by default
`watch`	TVL $100K–$500K OR TVL dropped >50% in 90d	At-risk; shown by default but flagged
`legacy`	TVL < $100K	Effectively dead capital; hidden by default
`deprecated`	Protocol officially shut down	Hidden by default

Actionability Class

Every vault output includes an actionability_class that identifies the dominant risk driver and returns a targeted one-line action recommendation. The class with the highest weighted average sub-score wins.

Class	Key sub-scores	Example action
`smart_contract`	Protocol risk (40%), Code (20%), Audit recency (10%), Oracle (10%), Asset (10%), Webacy code (10%)	"Reduce position: elevated code or protocol risk warrants caution."
`liquidity_lock`	Closed liquidity (50%), Utilization (30%), Utilisation risk (10%), Exit liquidity (10%)	"Exit now: liquidity is critically constrained."
`governance`	Centralization (40%), Upgrade (30%), Strategy (15%), Governance behavior (15%)	"Reduce position: centralization or upgrade risk is elevated."
`market_conditions`	Depeg (35%), Looping (25%), TVL outflow (20%), Size (10%), Maturity (10%)	"Reduce exposure: market or collateral conditions are deteriorating."

Action verb (monitor / review / plan / watch / reduce / exit) is selected by combining class × tier. The actionability_class, actionability_action, actionability_detail, and actionability_class_scores fields are all available in the API output.

Risk Flags

Flags highlight specific structural issues. Blocking flags force a Do not list verdict regardless of score.

unverified

Blocking — Contract not verified on a block explorer

redemption_closed

Blocking — Redemptions currently closed by curator intent — contract-level lock preventing user exits. Utilization-driven maxRedeem=0 is handled separately and does not trigger this flag.

dormant

Blocking — Very low on-chain event count — vault appears inactive. Suppressed for vaults with confirmed recent curator activity (rebalancing, allocation changes).

depeg

Share price < $0.97 (≥ 3% below peg)

yield_trap

Illiquid/locked withdrawal state + reward-dependent APY > 70% — users trapped while yield may collapse (Resolv USR pattern)

emergency_deposit_cap

Deposits closed under high utilization (≥85%) + recent upgrade — curator emergency intervention, not normal capacity-full state

shared_collateral_exposure

A collateral token used by this vault is also flagged in other vaults — cross-vault contagion risk from a single compromised asset

exchange_rate_spike

Share price rose > 2% since last checkpoint — possible donation attack (Venus wUSDM pattern: +65% spike → $902K bad debt)

exchange_rate_crash

Share price dropped > 1% since last checkpoint — possible exploit in progress or collateral collapse

erc4626_donation_risk

ERC-4626 vault is used as collateral in a lending market — convertToAssets() is a live price oracle, donation-attackable

thin_collateral_market

Collateral token trades < $5M/day (Moralis DEX volume) — spot price is oracle-manipulable (Morpho/Elixir incident pattern)

high_looping

Looping > 80% of TVL — recursive lending amplifies liquidation risk during depeg events

looping_lock_risk

High looping + high utilization — borrowers stuck in leveraged loop with no exit (Kamino-style trap)

oracle_gap_risk

Oracle price diverges ≥ 2% from market price — stale or misconfigured oracle

collateral_depeg_risk

Collateral asset market price is depegging — direct bad debt risk for lending vaults

no_audits

No audit records found via DeFiLlama or manual curation

eoa_owner

Owner is an EOA, not a multisig or timelock

pause_capable

Contract has a pause function

upgradeable

Proxy or upgradeable contract

unaudited_upgrade

Contract upgraded in last 30 days with zero audits on record

recent_upgrade

Contract was upgraded in the last 30 days

repeated_pausing

2+ pause events in the last 90 days — operational stress signal

ownership_transfer

Ownership transferred in the last 90 days — new unproven key holder

concentrated_borrower

Top borrower holds ≥ 35% of borrow shares — exit depends on a single whale repaying

concentrated_depositor

Top depositor holds ≥ 50% of vault shares — single exit would spike utilization

bad_debt_exposure

Bad debt sub-score ≥ 50 — market has accrued or is at risk of unrecoverable debt

liquidation_proximity_risk

Liquidation buffer < 10% — borrowers close to liquidation threshold

low_exit_liquidity

< 10% of TVL is currently withdrawable — exit trap risk

high_market_concentration

Single market holds > 80% of vault allocation — concentration risk

morpho_low_liquidity

Available Morpho liquidity is < 1% of TVL — users cannot exit

reward_dependent_yield

> 70% of APY from reward emissions — yield collapses when emissions end

negative_return

Negative lifetime return or CAGR

lockup_7d

Lockup period > 7 days

withdrawal_delay

Withdrawal delay or timelock is active

deposit_closed

Deposits currently closed by curator intent — admin-level lock preventing new deposits

deposit_cap_reached

Vault at TVL cap — maxDeposit() returns 0 due to capacity limits, not curator lock. Normal operational state for popular vaults.

low_tvl

TVL < $500K

new_vault

Vault is < 6 months old

inactive

Low on-chain event count

harvest_slow

Strategy/keeper vault: 30–60 days since last harvest() call — keeper activity slowing

harvest_stale

Strategy/keeper vault: 60–90 days since last harvest() call — yield accumulation likely stalled

harvest_dormant

Strategy/keeper vault: ≥ 90 days since last harvest() call — vault is functionally dormant; full inactivity penalty applied

collateral_frozen_alert

One or more collateral assets accepted by this Aave vault have been FROZEN on-chain — new deposits against the frozen asset are blocked, existing positions are at exit risk if the freeze persists (detected via Aave V3 live reserve state)

subvault

Vault-of-vaults — indirect exposure to underlying vaults

large_redemption_alert

Single wallet redeemed > $500K or > 1% of TVL in the last 24h — concentrated exit signal

Exchange Rate Velocity

ERC-4626 vaults accumulate yield slowly — a 15% APY vault moves ~0.04% per day. A sudden large movement in the exchange rate is a direct indicator of an attack in progress or structural failure.

Signal	Threshold	Scoring Impact	Pattern
`exchange_rate_spike`	> +2% since last checkpoint	Hard floor at 70 (critical boundary)	Donation attack — assets transferred directly into vault inflate convertToAssets() without minting shares. Venus wUSDM: 65% jump → $902K bad debt (Feb 2024).
`exchange_rate_crash`	> −1% since last checkpoint	Hard floor at 65 (high tier)	Exploit in progress, collateral collapse, or bad-debt crystallisation. Yield vaults should never go down for stablecoins.

Previous price is persisted across pipeline runs. No external API required — uses the share price already fetched by the Trading Strategy enrichment.

ERC-4626 Donation Attack Risk

When an ERC-4626 vault is used as collateral in a lending protocol and that protocol prices it via convertToAssets(), the vault becomes vulnerable to a donation attack: an attacker transfers assets directly into the vault contract (without calling deposit()), inflating the exchange rate without minting new shares. The lending protocol's oracle reads the inflated rate and allows overborrowing against the manipulated collateral.

Venus wUSDM (Feb 27, 2024): Attacker donated USDM directly into the wUSDM contract, inflating the exchange rate from 1.0694 → 1.764. Venus used convertToAssets() as its price oracle with no TWAP or manipulation protection. ~$902K bad debt generated from a $350 initial deposit.

Detection

Vault is ERC-4626 AND its address appears as collateralAsset in ≥ 1 active Morpho market. Queried via Morpho Blue GraphQL at scoring time.

Scoring Impact

erc4626_donation_risk = true → +15 additive penalty + erc4626_donation_risk flag. This is a latent (pre-exploit) structural risk; pair with exchange rate velocity for real-time detection.

Large Redemption Alerts

Every 6 hours, Webacy scans 24 hours of on-chain Withdraw events across 600+ vaults (TVL ≥ $500K) to detect concentrated exits before they appear in price data. A vault is flagged when a single wallet redeems more than $500K or more than 1% of vault TVL within the lookback window.

600+

Vaults scanned

6 chains

Coverage

Every 6h

Cadence

$500K or 1% TVL

Threshold

Chain	Lookback window	Data source
Ethereum	24h	Alchemy (primary) → Etherscan V2 (fallback)
Arbitrum	2h (high-frequency chain)	Etherscan V2 → Moralis (fallback)
Base	24h	Etherscan V2 → Moralis (fallback)
Optimism	24h	Etherscan V2 → Moralis (fallback)
Polygon	24h	Etherscan V2 → Moralis (fallback)
BSC	6h	Etherscan V2 → Moralis (fallback)

Flagged vaults receive a large_redemption_alert risk flag and expose four fields: large_redemption_count_24h, large_redemption_usd_24h, large_redemption_max_pct_tvl, and large_redemption_wallets. Each alert run is archived to S3 at vaults/redemption-alerts/{date}/{timestamp}.json.

View live Large Redemptions dashboard →

Data Sources

Source	What we use	Cadence
Trading Strategy API	TVL, risk tier, lifetime return, share price, max drawdown, volatility, looping %, flags	Every 6h
DeFiLlama coins API	Live vault token prices (share price)	~5 min — live overlay
DeFiLlama protocols API	Audit records for protocol-level coverage	Every 6h
Morpho Blue GraphQL	Live utilization rate, available liquidity, net APY, curator, timelock, collateral addresses	~5 min — live overlay
Aave V3 GraphQL API	Live reserve composition across all 8 supported chains — active collateral, frozen reserves, paused markets. Primary collateral source for Aave wrapper vaults; fallback to DeFiLlama if unavailable	Every 6h (pipeline)
Moralis analytics API	24h DEX buy+sell volume per collateral token (primary source for thin_collateral_market detection)	Every 6h
Etherscan V2 (unified)	Bytecode, source code, proxy detection, upgradeability, events; Withdraw event scanning for large redemption alerts	Per-vault + every 6h (redemptions)
Webacy API	Contract vulnerability findings, deployer risk, code analysis	Per-vault (pipeline)

Risk Summary (Natural Language)

Every vault includes a risk_summary field — a one-sentence plain-English explanation of why the vault scored the way it did. Generated deterministically from the top weighted sub-score contributors and highest-priority active flags. No LLM required.

Example
"Score 74 (HIGH). Primary drivers: restricted withdrawals, centralized governance, unverified/unaudited code. Active signals: yield trap, thin collateral market."

Available as risk_summary on every vault record. Useful for surfacing in alerts, reports, and API consumers without additional processing.

Output Fields Reference

Additional fields returned on every vault record. These fields feed into the scoring pipeline and are exposed in the API response for consumers that need to inspect data freshness, vault architecture, or audit provenance directly.

Field	Type	Description
`data_as_of`	ISO 8601 timestamp	When this vault was last scored and enriched by the pipeline. Used in the UI as a staleness indicator — an amber ⚠ badge appears when the timestamp is more than 48 hours old. Useful for API consumers to detect stale records before acting on them.
`ts_feature_tags`	string[]	Trading Strategy feature tags for the vault architecture (e.g. `euler_earn_like`, `pendle_pt`, `yearn_v3_like`). Used internally to apply architecture-specific scoring rules — for example, utilization zero-out for EulerEarn and Pendle vaults, and depeg suppression for Pendle PT vaults. See Architecture-specific scoring rules above for how each tag affects scoring.
`last_audit_date`	ISO date string	Date of the most recent security audit on record (sourced via DeFiLlama protocols API and manual curation). Drives the graduated audit recency sub-score: Fresh (<6 months) → 5, Moderate (6–18 months) → 10–30, Aging (18–36 months) → 30–60, Stale (>3 years) → 70. `null` when no audit date is available.
`audit_firms`	string[]	Names of the audit firms that have reviewed this protocol (e.g. Trail of Bits, OpenZeppelin, Spearbit, Pashov). Reputable firms with audits within the last 12 months apply up to a −20 reduction to the audit recency sub-score. An empty array means no audit firms are on record — equivalent to `no_audits` for scoring purposes.
`auditor_tier`	"top" \| "mid" \| "low" \| null	Quality tier of the auditors on record for this protocol. top — elite security firms (Trail of Bits, OpenZeppelin, Spearbit, Certora, ChainSecurity). mid — established firms (Halborn, PeckShield, Hacken, Quantstamp). low — entry-level or less established firms. `null` when no auditor data is available. Shown as a badge in the Security Indicators panel on vault detail pages.
`days_since_harvest`	integer (nullable)	Days since the vault's last `harvest()` keeper call. Populated from `last_harvest_at` in Trading Strategy data. Used to apply graduated harvest inactivity penalties for strategy/keeper vaults (Yearn V2/V3, Harvest, etc.): < 30 days → no penalty; 30–60 days → +10, `harvest_slow`; 60–90 days → +25, `harvest_stale`; ≥ 90 days → full inactivity penalty, `harvest_dormant`. `null` when unavailable — harvest penalty is suppressed when data is absent.

View Vaults →Large Redemptions →Scoring Model →← All Docs