Vaults Documentation
Overview of the vault rating system, risk ratings, and data pipeline.
Overview
The Vaults tab rates ERC-4626 and strategy vaults by structural risk. Each vault receives a composite rating (0–100), a tier (low/medium/high/critical), and risk flags. Data flows from the stablecoin-research-systems pipeline to S3; the dashboard reads verified_vaults.json.
Vaults are verified by a structural classifier that analyzes contract bytecode and behavior. Only vaults with confidence ≥ 90% and a known contract type (erc4626, strategy, lending, bridge) appear in the list.
Customer-Requested Features
The following features were built in response to customer feedback on vault risk visibility.
- Unlock period — Lockup (days) and withdrawal delay (hours) are displayed on the vault table and detail page. Sourced from Trading Strategy API. Helps users assess liquidity and exit timing.
- Underlying position risk — Vault composition shows underlying assets with share % and depeg score (when the underlying is in the depeg monitor). Enables users to see which underlying stablecoins drive risk.
- Risk notification —
GET /api/vaults/alertsreturns vaults needing attention for webhook/notification integration. Use?format=webhookfor a compact payload suitable for Slack/Discord.
Risk Sub-Ratings
Each sub-rating is 0–100 (higher = riskier). The composite rating is a weighted sum of all sub-ratings.
| Sub-Rating | Weight | Description |
|---|---|---|
| Protocol | 15% | Trading Strategy risk (Blacklisted/Severe/Dangerous/etc.) |
| Depeg | 15% | last_share_price < 1.0 for stablecoin vaults |
| Closed liquidity | 8% | Deposits or redemptions closed |
| Centralization | 10% | EOA owner, pause powers |
| Upgrade | 8% | Proxy, upgradeability, beacon |
| Liquidity | 6% | Lockup, withdrawal delay, caps |
| Code | 7% | Delegatecall, external calls |
| Webacy code | 7% | Reentrancy, unchecked calls, etc. |
| Strategy | 7% | External strategies, leverage |
| Return loss | 3% | Negative lifetime_return or CAGR |
| Asset | 4% | Non-stablecoin underlying |
| Size | 4% | Low TVL = fragility |
| Maturity | 3% | New vault = higher risk |
| Volatility | 1% | From three_months_volatility |
| Drawdown | 2% | max_drawdown from period_results |
| TVL outflow | 2% | Negative tvl_trend_pct |
| Inactivity | 2% | Low event_count (dormant/inactive) |
| Subvault | 1% | Subvault in flags = indirect exposure |
| Webacy contract / deployer | 4% / 2% | Contract and deployer risk from Webacy |
Depeg Risk
For stablecoin vaults, last_share_price from Trading Strategy indicates whether shares trade below par. If < 1.0, the vault is flagged for depeg risk.
- Rating 80 — last_share_price < 0.99 (1%+ depeg)
- Rating 50 — 0.99 ≤ last_share_price < 1.0
- Rating 0 — last_share_price ≥ 1.0
Hard Overrides
Certain conditions force a minimum composite rating regardless of other factors:
- Blacklisted → composite rating ≥ 85
- Share price < 0.97 → composite ≥ 70
- Redemptions closed + TVL outflow ≥ 30 → composite + 15
Tier System
Risk Flags
Flags are derived from features and rating details. They appear on the vault detail page and in the table.
unverifiedContract not verified on block explorerno_auditsNo audits founddepegShare price < 1.0negative_returnNegative lifetime return or CAGReoa_ownerOwner is EOA (not multisig)pause_capablePause function presentupgradeableProxy or upgradeablelockup_7dLockup > 7 dayswithdrawal_delayWithdrawal delay presentlow_tvlTVL < $500Knew_vaultAge < 6 monthsdeposit_closedDeposits closedredemption_closedRedemptions closeddormantVery low event countinactiveLow event countsubvaultSubvault in Trading Strategy flagsNeeding Attention
A vault "needs attention" if it matches any of: unverified, no_audits, high or critical tier, or is on the depeg monitor with watch, warning, or critical status. Use the "Needing Attention" filter on the Vaults page to focus on these.
Data Sources
- Trading Strategy API — Top vaults by TVL, risk tier, lifetime_return, last_share_price, max_drawdown, volatility, flags
- Etherscan / Basescan v2 — Bytecode, source code, proxy detection, upgradeability
- Webacy API — Code analysis, contract risk, deployer risk, vulnerability findings (reentrancy, delegatecall, access control, etc.)
Webacy Code Analysis
Webacy scans vault contracts for vulnerabilities. Critical findings (reentrancy, unchecked calls, malicious external call, etc.) contribute 60–100 to the webacy_code_risk sub-rating. Other findings add 20–40. Findings are shown on the vault detail page with risk level and description.