| 1 | | A- | A- | L1 | $62.0B | Regulatory risk — potential for future unfavorable classification by major regulators | → 0 |
| 2 | | B- | B+ | Lending | $24.3B | CAPO (Chainlink Adaptive Price Oracle) layer misfired March 10, 2026, causing $27M in wrongful liquidations across 34 accounts; snapshot-ratio/timestamp desynchronization in Aave's custom adaptive oracle layer proved a real failure mode beyond standard Chainlink feeds, with DAO reimbursing ~345 ETH from treasury. | ▲ 3 |
| 3 | | B | B | Liquid Staking | $19.1B | 28%+ of all staked ETH controlled by one protocol creates Ethereum-level systemic centralization risk | → 0 |
| 4 | | B- | D+ | Restaking | $15.3B | EigenLayer introduced restaking as a novel mechanism category where staked ETH simultaneously secures multiple Actively Validated Services (AVSs), creating correlated slashing risk — an operator slashed on one AVS could trigger cascading unstaking across other AVSs they secure, though the April 2025 slashing upgrade introduced unique allocated stake per AVS to contain blast radius. | → 0 |
| 5 | | B | C+ | Liquid Staking | $15.1B | DVT splits validator keys across 4+ operators via Shamir Secret Sharing — a compromised threshold (3-of-4) of operators could forge attestations or double-sign, risking slashing of the 5M+ ETH secured by SSV. | → 0 |
| 6 | | C+ | C+ | Restaking | $9.0B | Protocol generates $0 in organic revenue — the $78.9M in annualized 'fees' are EIGEN token emissions, not payments from AVSs for security | → 0 |
| 7 | | B- | B- | L1 | $8.0B | Network reliability — history of extended outages requiring validator coordination to restart | → 0 |
| 8 | | C | C+ | DeFi | $8.0B | Pull-based oracle model requires on-chain transaction to include price data — malformed or stale data passed by callers | — |
| 9 | | C+ | D- | Liquid Staking | $7.7B | Centralized custody: all staked ETH is managed by Binance validators, creating a single-entity dependency for ~$7.7B in assets | → 0 |
| 10 | | B- | A- | CDP | $7.1B | USDS freeze function introduces censorship risk that undermines decentralization, splitting the community between DAI purists and USDS adopters | → 0 |
| 11 | | B- | C | Lending | $6.4B | P2P matching engine adds complexity: if matching fails, fallback to pool rates may surprise users | → 0 |
| 12 | | C- | B | Stablecoin | $5.9B | Reserve fund ($62M) covers 0.96% of $6.5B USDe supply — depletes in 33 days under the protocol's own V1 stress test at -10% annualized funding | ▼ 1 |
| 13 | | B | B | CDP | $5.5B | Oracle-dependent liquidation system: Maker relies on a custom oracle module (Medianizer/OSM with 1-hour delay) feeding ETH and other collateral prices. During Black Thursday (March 2020), oracle lag combined with network congestion led to $8.3M in zero-bid liquidation auctions. The system has since been rebuilt with Liquidations 2.0 (Dutch auction format) and Chainlink integration, substantially mitigating but not eliminating oracle-related liquidation risk. | → 0 |
| 14 | | C- | B- | Restaking | $5.4B | EigenLayer restaking with socialized slashing: all eETH holders share proportional losses if an AVS is slashed. EigenLayer's live slashing system (since April 2025) makes this an active risk — a major AVS incident could reduce eETH's value for all holders simultaneously. | ▲ 13 |
| 15 | | C+ | C+ | L1 | $5.0B | Centralization — only 21 active validators, all effectively controlled by Binance ecosystem | → 0 |
| 16 | | C- | B- | Derivatives | $4.8B | Custom L1 with limited validator set creates centralization and censorship risk | → 0 |
| 17 | | B | C+ | L1 | $4.1B | Tron's governance is concentrated in 27 Super Representatives, with significant influence from Justin Sun and affiliated entities. The SR voting system allows large TRX holders to dominate block production and protocol decisions, including the August 2025 vote to slash network fees by 60%. Despite the SEC settlement, this concentration remains structural. | ▼ 3 |
| 18 | | B- | C+ | L2 | $4.1B | Coinbase is sole sequencer with no permissionless fallback, creating a corporate single point of failure for $4.1B in TVL — though Stage 1 decentralization (Jan 2026) now allows users to exit without sequencer cooperation. | → 0 |
| 19 | | C+ | D | Lending | $3.2B | Heavy governance centralization under Justin Sun and TRON Foundation with no documented multisig; single-entity risk to $5B+ TVL | ▼ 2 |
| 20 | | C+ | B+ | RWA | $3.2B | Tether corporate contagion risk: despite separate legal structure, XAUt's association with Tether (USDT issuer) creates reputational and regulatory risk if parent company faces enforcement actions or banking failures | → 0 |
| 21 | | C+ | B- | Liquid Staking | $2.9B | Validator sandwich attacks extracted 30K-60K SOL/month despite bans — MEV redistribution incentivizes exploitation | → 0 |
| 22 | | C+ | C | RWA | $2.5B | Multi-chain bridge risk: BUIDL deploys across Ethereum, Solana, Polygon, BNB Chain, and Avalanche via Wormhole; a bridge exploit could mint unbacked tokens or freeze legitimate holders' assets across chains | → 0 |
| 23 | | C | B- | Restaking | $2.5B | BLS vote extension vulnerability allows validators to bypass consensus by omitting block hash fields, undermining the security model at its core. | → 0 |
| 24 | | B- | D | RWA | $2.4B | USYC is a permissioned, KYC-gated token representing the Hashnote International Short Duration Yield Fund. Regulatory changes to tokenized securities could force redemption freezes or operational changes, with $1.7B in assets at risk. | → 0 |
| 25 | | C+ | B+ | RWA | $2.3B | USYC serves as primary backing for Usual's USD0 (~$700M), creating concentrated counterparty risk where Hashnote operational failure or Treasury depeg cascades through entire DeFi stablecoin ecosystem | ▼ 1 |
| 26 | | B+ | A- | RWA | $2.3B | BUSD wind-down precedent: Paxos was forced by NYDFS to cease BUSD operations in 2023, demonstrating that even federally chartered products can be shut down by regulators — a risk class that applies to PAXG. | → 0 |
| 27 | | B- | B+ | Yield | $2.2B | 70% TVL concentration in Ethena USDe creates existential dependency on a single yield source; a USDe depeg or yield collapse would directly impact most of Pendle's deposit base | → 0 |
| 28 | | B- | B | Lending | $2.2B | Deep dependency on Sky (MakerDAO) ecosystem: protocol solvency is backstopped by Sky's $6.5B reserve, creating single-entity systemic risk | — |
| 29 | | C- | C | Lending | $2.2B | Undercollateralized lending model inherently depends on borrower creditworthiness; $36M Orthogonal Trading default in 2022 demonstrated catastrophic counterparty failure | → 0 |
| 30 | | B | C- | L2 | $2.0B | The Security Council (9-of-12 multisig) can perform emergency upgrades to all Arbitrum contracts without any timelock delay, creating a centralization risk where a compromised or coerced council could alter the rollup's behavior instantly. The DAO has published the council member identities and an election process to mitigate this. | — |
| 31 | | C+ | B+ | RWA | $2.0B | Counterparty risk on underlying custodians and fund managers — if short-term Treasury backing fails, USDY depegs | ▲ 3 |
| 32 | | B | B | DEX | $1.9B | Vyper compiler vulnerability (July 2023 exploit) eroded trust; language-level risks persist for Vyper-based contracts | → 0 |
| 33 | | C+ | C+ | Lending | $1.9B | Unified liquidity market allows risk spillover from one toxic asset to contaminate all lending positions | — |
| 34 | | C+ | D+ | L2 | $1.8B | Optimism's sequencer remains fully centralized, operated solely by OP Labs with no decentralized fallback or concrete timeline for decentralization. Multiple sequencer outages occurred in 2025 (August and November), confirming this as a live operational risk rather than a theoretical concern. During downtime, users cannot submit transactions and must wait ~12 hours to force-include via L1. | ▲ 2 |
| 35 | | B- | B- | DeFi | $1.8B | Curator misallocation risk — Steakhouse controls allocation of $1.8B across lending markets, and a single bad market selection could cascade across all vaults | → 0 |
| 36 | | C+ | C- | DeFi | $1.8B | Smart Collateral and Smart Debt create reflexive leverage loops up to 39x theoretical max | ▲ 2 |
| 37 | | B+ | B+ | DEX | $1.7B | Concentrated liquidity amplifies impermanent loss when prices move out of LP-set ranges | → 0 |
| 38 | | B- | D+ | DeFi | $1.7B | Kraken DeFi Earn concentration: Kraken's integration as the primary TVL driver means a platform withdrawal or regulatory action affecting Kraken could force rapid liquidation of $500M+ in DeFi positions at distressed prices | ▲ 3 |
| 39 | | B | B- | DEX | $1.7B | Dominant BSC DEX position creates systemic concentration risk; BSC chain-level issues directly impact ~$1.7B TVL | → 0 |
| 40 | | C+ | C+ | Stablecoin | $1.6B | Basis-trade yield strategy depends on persistent positive funding rates — prolonged negative funding can erode collateral backing | → 0 |
| 41 | | B | C- | Yield | $1.6B | Spark Savings (sDAI/sUSDS) depends entirely on the Sky (formerly Maker) DSR/SSR rate, which is governance-controlled. Rate changes (e.g., the March 2025 cut from 6.5% to 4.5%) cause rapid TVL swings as yield-seekers migrate, creating reflexive inflow/outflow dynamics. | → 0 |
| 42 | | B- | C- | Yield | $1.6B | Capital deployed across multiple chains and DeFi protocols means a failure in ANY recipient protocol cascades losses back through the entire Spark/Sky ecosystem | — |
| 43 | | C+ | C- | RWA | $1.5B | Hybrid off-chain matching with on-chain settlement via Provenance blockchain creates a dependency on the centralized matching engine. If the off-chain matching component fails or is compromised, on-chain settlement could be delayed or incorrect, though MPC custody ensures assets remain user-controlled. | — |
| 44 | | C+ | C- | Bridge | $1.5B | February 2022 exploit allowed minting 120,000 wETH ($320M) without collateral via signature verification bug; Jump Crypto backstopped losses | ▼ 1 |
| 45 | | B- | C+ | RWA | $1.4B | Real-world asset counterparty and default risk is inherently opaque on-chain; 2023 default event exposed originator vetting weaknesses | ▲ 2 |
| 46 | | B | C+ | Yield | $1.3B | Vault curator model introduces principal-agent risk — curators allocate capital across DeFi strategies on behalf of depositors | ▲ 3 |
| 47 | | B- | C | Liquid Staking | $1.3B | Distributed key generation (DKG) ceremony is a trust-critical operation — a compromised or colluding majority of cluster nodes can reconstruct the full validator key | — |
| 48 | | B- | C | L1 | $1.3B | Novel consensus — Snowball protocol is less battle-tested than traditional BFT or Nakamoto consensus | → 0 |
| 49 | | B- | B | Lending | $1.3B | 2024 governance attack extracted $24M COMP from treasury via coordinated whale voting (Proposal 247) | — |
| 50 | | B | C- | RWA | $1.2B | Spiko tokenizes money market funds backed by US and EU Treasury bills — while the underlying assets are low-risk, the tokenization layer introduces smart contract, custody, and regulatory surface area that traditional T-bill investors don't face. | — |
| 51 | | B | B- | Liquid Staking | $1.2B | 8 ETH minipool operators bear outsized slashing risk relative to their bond, with losses partially socialized to rETH holders | — |
| 52 | | B- | C+ | DeFi | $1.2B | Gauntlet's simulation-based risk models curate $2B+ in vault AUM and inform parameters for protocols with $35B+ in monitored assets — models calibrated on historical data may fail catastrophically during tail events outside observed volatility ranges | → 0 |
| 53 | | C+ | C- | L2 | $1.2B | Bitcoin tunnels currently rely on multisig vaults to secure BTC transfers between Bitcoin and Hemi — multisig-based bridge custody is a historically high-risk design, with planned upgrades to BitVM2+hVM verification not yet deployed. | ▲ 2 |
| 54 | | C | D+ | Restaking | $1.2B | Hardcoded stETH oracle enables arbitrage exploit during depeg | → 0 |
| 55 | | C | C+ | Lending | $1.2B | History of severe incidents: $200M+ XVS price manipulation cascade (2021), $100M+ bad debt from BNB bridge hack (2022), and a March 15, 2026 donation attack extracting $3.7M via supply cap manipulation (attacker accumulated 12.2M THE tokens over 9 months to bypass supply limits) | → 0 |
| 56 | | B | B | Liquid Staking | $1.1B | JitoSOL's MEV tip distribution depends on >95% of Solana validators running the Jito client, creating systemic centralization risk for the network | — |
| 57 | | B- | D+ | Liquid Staking | $1.1B | Multi-LST Infinity pool aggregates risk from all supported LSTs; a single LST depeg can poison the entire pool through arbitrage-driven toxic asset accumulation | ▲ 3 |
| 58 | | C+ | C+ | DEX | $1.1B | Admin key compromise led to $4.4M exploit in Dec 2022, exposing centralised control over pool parameters | → 0 |
| 59 | | C+ | B- | Lending | $1.1B | Rehypothecation in vaults creates cross-vault contagion risk despite initial 'zero contagion' marketing claims — Jupiter COO acknowledged in December 2025 that 'very limited' contagion risk exists | ▼ 1 |
| 60 | | C+ | C | RWA | $1.0B | Franklin Templeton (transfer agent) retains unilateral power to freeze, clawback, and restrict BENJI token transfers on all nine blockchains — tokens are not censorship-resistant | ▼ 1 |
| 61 | | B- | C | L1 | $1.0B | Bridge dependency — checkpoints to Ethereum create a trust assumption and potential attack vector; the PoS Bridge secures over $1B in locked assets with a validator multisig | ▲ 3 |
| 62 | | B- | C+ | Yield | $1.0B | Multi-strategy vaults deploy capital across Aave, Curve, Morpho, and EigenLayer simultaneously; hidden correlations between strategies mean diversification benefits evaporate during systemic DeFi stress events | — |
| 63 | | C+ | C | Liquid Staking | $1.0B | BTC custody risk: Lorenzo holds custodied Bitcoin on behalf of stakers — a custody provider failure or hack would result in permanent BTC loss for stakers | ▲ 3 |
| 64 | | B- | D | RWA | $965M | Anemoy relies on Chronicle Protocol's RWA Oracle for on-chain NAV reporting of its tokenized funds, creating a single oracle dependency for pricing accuracy across its $567M AUM. Chronicle's Proof of Asset framework provides cryptographic verification, but a sustained oracle failure could delay redemptions. | → 0 |
| 65 | | C+ | D- | Liquid Staking | $943M | Centralized custody: all staked SOL is managed by Binance validators, creating a single-entity dependency for ~$712M in assets | — |
| 66 | | B+ | B | DEX | $910M | Sandwich attacks exploit constant-product AMM with 90% of blocks vulnerable to front-running | → 0 |
| 67 | | B- | D- | Liquid Staking | $891M | dzSOL launched in January 2025, making it approximately one year old. Despite rapid growth to 13.2M SOL staked ($1.1B), the protocol has limited track record through different market conditions (no bear market test, no major stress event). Early-stage liquid staking tokens carry higher smart contract risk than established alternatives. | — |
| 68 | | B | B- | Liquid Staking | $849M | jupSOL is delegated primarily to Jupiter's own validator running the experimental Frankendancer client, creating concentration and software risk | — |
| 69 | | C | B | Derivatives | $849M | JLP holders are the counterparty to all perp traders — during trending markets, the pool can suffer significant directional losses | — |
| 70 | | B- | C | Liquid Staking | $848M | osETH overcollateralisation model means validators bear first-loss risk — slashing or poor performance directly erodes their position before osETH holders | — |
| 71 | | B- | D+ | RWA | $828M | Over 90% of reserves held in a single asset (BlackRock BUIDL), creating deep concentration risk on one tokenized treasury fund | → 0 |
| 72 | | B | C+ | DeFi | $795M | Chainlink Labs retains significant centralized control over network operations, including node operator selection and staking pool parameters, though the network has operated reliably for 7+ years under this model and a decentralization roadmap is in progress. | ▲ 5 |
| 73 | | B- | D- | RWA | $787M | Centralized mint/redeem gating via allowlist means Superstate can freeze or deny redemptions at will | — |
| 74 | | B- | D- | RWA | $769M | Fully centralized operations — WisdomTree controls all minting, redemption, and transfer allowlisting with no on-chain governance | ▲ 2 |
| 75 | | B- | C- | Liquid Staking | $769M | Kinetiq holds 82.5% market share in Hyperliquid liquid staking, creating single-point-of-failure concentration risk for the entire Hyperliquid staking ecosystem. | — |
| 76 | | C+ | D+ | Liquid Staking | $713M | LBTC's 1:1 BTC backing depends entirely on Babylon's Bitcoin staking security; any slashing event or Babylon exploit directly depegs LBTC across all 15 integrated chains | — |
| 77 | | C | D+ | Restaking | $713M | LBTC depends on Babylon's nascent BTC staking infrastructure which has no proven slashing enforcement mechanism yet | ▲ 4 |
| 78 | | C | C+ | RWA | $706M | Tokenized equities depend on off-chain broker-dealer custody — Oasis Pro Markets insolvency or regulatory action would freeze all token redemptions | — |
| 79 | | C+ | C- | DeFi | $700M | CeDeFi hybrid model depends on centralized custody (CEFFU/Binance) remaining solvent and accessible; LCTs (Liquidity Custody Tokens) become worthless if CeFi custodian fails, combining centralized custody risk with decentralized protocol exposure | → 0 |
| 80 | | B- | C | Yield | $676M | Convex controls ~50% of veCRV voting power, creating systemic Curve governance centralization risk | → 0 |
| 81 | | B- | C+ | Lending | $673M | Extreme gas optimization using inline assembly sacrifices code readability, complicating audits and obscuring potential attack paths | → 0 |
| 82 | | D | C | RWA | $658M | GPU hardware depreciates rapidly — NVIDIA GPUs lose 50%+ value within 2-3 years as new generations launch | — |
| 83 | | B- | C | Lending | $650M | Extreme TVL growth (1,000% YTD to $4.5B across Lista DAO) means the lending markets are largely untested under sustained bearish conditions | ▲ 2 |
| 84 | | B- | C- | Lending | $650M | Systemic concentration risk: Lista DAO controls nearly 50% of BNB Chain's entire staking market with 12M+ BNB staked, creating a single point of failure for the chain's security and liquidity | → 0 |
| 85 | | B- | B | DEX | $646M | Permissionless hooks execute arbitrary code on every swap, enabling novel attack vectors with 36% of analyzed hooks found potentially vulnerable | → 0 |
| 86 | | B- | C- | Liquid Staking | $621M | slisBNB commands ~50% of BNB Chain staking market share, creating unprecedented concentration risk for the chain's validator set and security model | — |
| 87 | | B- | C- | Liquid Staking | $603M | mETH is operated by Mantle, creating concentration risk around the Mantle ecosystem. If Mantle faces governance issues, regulatory action, or operational failures, mETH holders are directly exposed. | — |
| 88 | | C+ | D | Stablecoin | $600M | USDD relies on TRX as a primary reserve asset, creating correlated collateral risk — a severe TRX drawdown could impair the overcollateralization ratio below the 130% minimum despite the current 200%+ buffer. | — |
| 89 | | C+ | C+ | L1 | $573M | Sui validators demonstrated the ability to freeze $162M in stolen funds within hours during the May 2025 Cetus exploit — a recovery success, but also proof that a coordinated supermajority of validators can censor arbitrary addresses, undermining the censorship-resistance claim. | → 0 |
| 90 | | C+ | C | Liquid Staking | $568M | Institutional node operator concentration (Coinbase, Kraken, Figment, Blockdaemon, Staked) creates correlated regulatory risk; SEC enforcement against any operator could cascade to validator shutdowns and LsETH yield failure | — |
| 91 | | C | C+ | Lending | $543M | History of $197M flash loan exploit in March 2023 (funds recovered) demonstrates protocol-level vulnerability precedent | — |
| 92 | | C+ | C- | DeFi | $516M | Governance was compromised in May 2023 when an attacker used a malicious proposal with hidden SELFDESTRUCT/CREATE2 logic to grant themselves 1.2M votes, exceeding the legitimate 700K votes. The attacker later returned control, but the attack vector demonstrated that DAO proposal auditing is insufficient to prevent governance takeover. | — |
| 93 | | C+ | C+ | Yield | $500M | BTC delta-neutral strategy depends on perpetual funding rates being positive — in bear markets, negative funding drains yield and can erode principal | ▲ 3 |
| 94 | | C | C+ | Stablecoin | $500M | Trump-family political risk: protocol faces sanctions/OFAC exposure, congressional scrutiny, and regulatory retaliation risk tied to presidential term cycles | — |
| 95 | | B+ | D- | DEX | $491M | Multi-chain expansion across Polygon, Base, Somnia, and other EVM chains introduces cross-chain composability risk and increases attack surface across different security models. | — |
| 96 | | C+ | D | Restaking | $483M | Permissionless vault creation allows uncurated risk exposure to poorly configured slashing conditions | ▼ 2 |
| 97 | | C+ | C- | L2 | $473M | Kraken operates the sole sequencer, meaning regulatory action against the exchange — such as OFAC sanctions, DOJ enforcement, or operational suspension — could halt block production on Ink for up to 12 hours before users can bypass via Ethereum L1 forced inclusion. The SEC dropped its 2023 exchange-operation lawsuit against Kraken in March 2025, but Kraken remains subject to ongoing regulatory oversight as a licensed US exchange. | — |
| 98 | | C+ | D+ | Lending | $463M | Fira's $434M TVL is almost entirely concentrated in bUSD0 (Usual's bond token) — a single-asset dependency where any bUSD0 devaluation or Usual protocol failure would wipe out the vast majority of collateral value. | → 0 |
| 99 | | C | C | Yield | $463M | Automated vault strategies allocate across 7+ DeFi protocols (Aave, Morpho, Pendle, etc.), compounding smart contract risk from each underlying integration | — |
| 100 | | B- | C- | DeFi | $450M | Oracle manipulation risk via UMA resolution system enables incorrect market settlements, potentially causing $50M+ losses in a single high-volume market and destroying platform credibility | — |
