| 1 | | A- | A- | L1 | $62.0B | Regulatory risk — potential for future unfavorable classification by major regulators | → 0 |
| 2 | | B- | B+ | Lending | $25.2B | CAPO (Chainlink Adaptive Price Oracle) layer misfired March 10, 2026, causing $27M in wrongful liquidations across 34 accounts; snapshot-ratio/timestamp desynchronization in Aave's custom adaptive oracle layer proved a real failure mode beyond standard Chainlink feeds, with DAO reimbursing ~345 ETH from treasury. | ▲ 3 |
| 3 | | B | B | Liquid Staking | $21.1B | 28%+ of all staked ETH controlled by one protocol creates Ethereum-level systemic centralization risk | ▲ 1 |
| 4 | | B | C+ | Liquid Staking | $17.5B | DVT splits validator keys across 4+ operators via Shamir Secret Sharing — a compromised threshold (3-of-4) of operators could forge attestations or double-sign, risking slashing of the 5M+ ETH secured by SSV. | → 0 |
| 5 | | B- | D+ | Restaking | $15.3B | EigenLayer introduced restaking as a novel mechanism category where staked ETH simultaneously secures multiple Actively Validated Services (AVSs), creating correlated slashing risk — an operator slashed on one AVS could trigger cascading unstaking across other AVSs they secure, though the April 2025 slashing upgrade introduced unique allocated stake per AVS to contain blast radius. | → 0 |
| 6 | | C+ | C+ | Restaking | $9.5B | Protocol generates $0 in organic revenue — the $78.9M in annualized 'fees' are EIGEN token emissions, not payments from AVSs for security | → 0 |
| 7 | | C+ | D- | Liquid Staking | $8.7B | Centralized custody: all staked ETH is managed by Binance validators, creating a single-entity dependency for ~$7.7B in assets | → 0 |
| 8 | | B- | B- | L1 | $8.0B | Network reliability — history of extended outages requiring validator coordination to restart | → 0 |
| 9 | | B- | C | Lending | $7.2B | P2P matching engine adds complexity: if matching fails, fallback to pool rates may surprise users | → 0 |
| 10 | | B- | B | CDP | $6.7B | Oracle-dependent liquidation system: Maker relies on a custom oracle module (Medianizer/OSM with 1-hour delay) feeding ETH and other collateral prices. During Black Thursday (March 2020), oracle lag combined with network congestion led to $8.3M in zero-bid liquidation auctions. The system has since been rebuilt with Liquidations 2.0 (Dutch auction format) and Chainlink integration, substantially mitigating but not eliminating oracle-related liquidation risk. | → 0 |
| 11 | | C- | B | Stablecoin | $6.6B | Reserve fund ($62M) covers 0.96% of $6.5B USDe supply — depletes in 33 days under the protocol's own V1 stress test at -10% annualized funding | → 0 |
| 12 | | B- | A- | CDP | $6.2B | USDS freeze function introduces censorship risk that undermines decentralization, splitting the community between DAI purists and USDS adopters | → 0 |
| 13 | | C- | B- | Restaking | $5.2B | EigenLayer restaking with socialized slashing: all eETH holders share proportional losses if an AVS is slashed. EigenLayer's live slashing system (since April 2025) makes this an active risk — a major AVS incident could reduce eETH's value for all holders simultaneously. | → 0 |
| 14 | | C+ | C+ | L1 | $5.0B | Centralization — only 21 active validators, all effectively controlled by Binance ecosystem | → 0 |
| 15 | | C- | B- | Derivatives | $4.8B | Custom L1 with limited validator set creates centralization and censorship risk | → 0 |
| 16 | | C- | C+ | Stablecoin | $4.2B | Trump-family political risk: protocol faces sanctions/OFAC exposure, congressional scrutiny, and regulatory retaliation risk tied to presidential term cycles | ▲ 5 |
| 17 | | B- | C+ | L1 | $4.1B | Rainberry Inc. (Tron-associated) reached a $10M SEC settlement on March 5, 2026 with all charges dismissed with prejudice — the primary regulatory overhang is resolved, but Justin Sun's ongoing wash-trading controversy (coordinated trading across Binance accounts) and House Democrat scrutiny introduce fresh reputational risk. | ▼ 1 |
| 18 | | C- | B- | Restaking | $3.8B | BLS vote extension vulnerability allows validators to bypass consensus by omitting block hash fields, undermining the security model at its core. | ▲ 2 |
| 19 | | C+ | D | Lending | $3.6B | Heavy governance centralization under Justin Sun and TRON Foundation with no documented multisig; single-entity risk to $5B+ TVL | → 0 |
| 20 | | C+ | A- | RWA | $3.3B | Tether corporate contagion risk: despite separate legal structure, XAUt's association with Tether (USDT issuer) creates reputational and regulatory risk if parent company faces enforcement actions or banking failures | ▼ 2 |
| 21 | | C+ | B- | Liquid Staking | $2.9B | Validator sandwich attacks extracted 30K-60K SOL/month despite bans — MEV redistribution incentivizes exploitation | → 0 |
| 22 | | C+ | C | RWA | $2.9B | Multi-chain bridge risk: BUIDL deploys across Ethereum, Solana, Polygon, BNB Chain, and Avalanche via Wormhole; a bridge exploit could mint unbacked tokens or freeze legitimate holders' assets across chains | → 0 |
| 23 | | C+ | B+ | RWA | $2.8B | Counterparty risk on underlying custodians and fund managers — if short-term Treasury backing fails, USDY depegs | ▼ 3 |
| 24 | | B- | D | RWA | $2.7B | USYC is a permissioned, KYC-gated token representing the Hashnote International Short Duration Yield Fund. Regulatory changes to tokenized securities could force redemption freezes or operational changes, with $1.7B in assets at risk. | → 0 |
| 25 | | B- | C+ | L2 | $2.6B | Coinbase is sole sequencer with no permissionless fallback, creating a corporate single point of failure for $4.1B in TVL — though Stage 1 decentralization (Jan 2026) now allows users to exit without sequencer cooperation. | → 0 |
| 26 | | B+ | A- | RWA | $2.4B | BUSD wind-down precedent: Paxos was forced by NYDFS to cease BUSD operations in 2023, demonstrating that even federally chartered products can be shut down by regulators — a risk class that applies to PAXG. | → 0 |
| 27 | | C+ | B+ | RWA | $2.3B | USYC is now a Circle product following the acquisition (completed 2025), materially improving regulatory standing and institutional credibility, but Circle's compliance-heavy model means potential regulatory constraints on USYC usage in certain jurisdictions. | ▼ 2 |
| 28 | | B- | C- | Yield | $2.1B | Capital deployed across multiple chains and DeFi protocols means a failure in ANY recipient protocol cascades losses back through the entire Spark/Sky ecosystem | — |
| 29 | | B | C- | L2 | $2.0B | The Security Council (9-of-12 multisig) can perform emergency upgrades to all Arbitrum contracts without any timelock delay, creating a centralization risk where a compromised or coerced council could alter the rollup's behavior instantly. The DAO has published the council member identities and an election process to mitigate this. | — |
| 30 | | B- | B | Lending | $2.0B | Deep dependency on Sky (MakerDAO) ecosystem: protocol solvency is backstopped by Sky's $6.5B reserve, creating single-entity systemic risk | → 0 |
| 31 | | B- | D+ | DeFi | $2.0B | Kraken DeFi Earn concentration: Kraken's integration as the primary TVL driver means a platform withdrawal or regulatory action affecting Kraken could force rapid liquidation of $500M+ in DeFi positions at distressed prices | ▲ 4 |
| 32 | | B | C- | Yield | $1.8B | Spark Savings (sDAI/sUSDS) depends entirely on the Sky (formerly Maker) DSR/SSR rate, which is governance-controlled. Rate changes (e.g., the March 2025 cut from 6.5% to 4.5%) cause rapid TVL swings as yield-seekers migrate, creating reflexive inflow/outflow dynamics. | → 0 |
| 33 | | B | B | DEX | $1.8B | Vyper compiler vulnerability (July 2023 exploit) eroded trust; language-level risks persist for Vyper-based contracts | → 0 |
| 34 | | B- | B- | DeFi | $1.8B | Curator misallocation risk — Steakhouse controls allocation of $1.8B across lending markets, and a single bad market selection could cascade across all vaults | → 0 |
| 35 | | B- | C+ | RWA | $1.8B | Real-world asset counterparty and default risk is inherently opaque on-chain; 2023 default event exposed originator vetting weaknesses | ▲ 2 |
| 36 | | C- | C | Lending | $1.8B | Core Foundation obtained a Cayman Islands court injunction (March 2026) blocking Maple from launching syrupBTC, alleging misuse of confidential information from their joint lstBTC development — this blocks a $150M+ institutional asset product and introduces legal/operational overhang. | ▲ 2 |
| 37 | | C+ | C- | DeFi | $1.8B | Smart Collateral and Smart Debt create reflexive leverage loops up to 39x theoretical max | ▲ 2 |
| 38 | | B+ | B+ | DEX | $1.7B | Concentrated liquidity amplifies impermanent loss when prices move out of LP-set ranges | ▲ 1 |
| 39 | | B- | B+ | Yield | $1.7B | 70% TVL concentration in Ethena USDe creates existential dependency on a single yield source; a USDe depeg or yield collapse would directly impact most of Pendle's deposit base | ▲ 1 |
| 40 | | C+ | C+ | Lending | $1.7B | Unified liquidity market allows risk spillover from one toxic asset to contaminate all lending positions | — |
| 41 | | B | B- | DEX | $1.7B | Dominant BSC DEX position creates systemic concentration risk; BSC chain-level issues directly impact ~$1.7B TVL | → 0 |
| 42 | | C+ | C+ | Stablecoin | $1.6B | Basis-trade yield strategy depends on persistent positive funding rates — prolonged negative funding can erode collateral backing | → 0 |
| 43 | | C+ | C- | RWA | $1.6B | February 2026 data breach compromised 967,000 user records via Okta SSO social engineering — no on-chain impact but elevates regulatory scrutiny and customer phishing exposure | ▼ 1 |
| 44 | | C | C- | Bridge | $1.6B | February 2022 exploit allowed minting 120,000 wETH ($320M) without collateral via signature verification bug; Jump Crypto backstopped losses | → 0 |
| 45 | | C | D+ | Restaking | $1.5B | Hardcoded stETH oracle enables arbitrage exploit during depeg | → 0 |
| 46 | | B- | C | Liquid Staking | $1.4B | Distributed key generation (DKG) ceremony is a trust-critical operation — a compromised or colluding majority of cluster nodes can reconstruct the full validator key | — |
| 47 | | B- | B- | Liquid Staking | $1.3B | 8 ETH minipool operators bear outsized slashing risk relative to their bond, with losses partially socialized to rETH holders | — |
| 48 | | B- | B | Lending | $1.3B | 2024 governance attack extracted $24M COMP from treasury via coordinated whale voting (Proposal 247) | — |
| 49 | | B- | C | L1 | $1.3B | Novel consensus — Snowball protocol is less battle-tested than traditional BFT or Nakamoto consensus | → 0 |
| 50 | | B- | D | RWA | $1.3B | Anemoy relies on Chronicle Protocol's RWA Oracle for on-chain NAV reporting of its tokenized funds, creating a single oracle dependency for pricing accuracy across its $567M AUM. Chronicle's Proof of Asset framework provides cryptographic verification, but a sustained oracle failure could delay redemptions. | → 0 |
| 51 | | C+ | D | Stablecoin | $1.3B | USDD relies on TRX as a primary reserve asset, creating correlated collateral risk — a severe TRX drawdown could impair the overcollateralization ratio below the 130% minimum despite the current 200%+ buffer. | — |
| 52 | | B | C- | RWA | $1.2B | Spiko tokenizes money market funds backed by US and EU Treasury bills — while the underlying assets are low-risk, the tokenization layer introduces smart contract, custody, and regulatory surface area that traditional T-bill investors don't face. | — |
| 53 | | C+ | C+ | DeFi | $1.2B | Gauntlet's simulation-based risk models curate $2B+ in vault AUM and inform parameters for protocols with $35B+ in monitored assets — models calibrated on historical data may fail catastrophically during tail events outside observed volatility ranges | ▲ 1 |
| 54 | | C | C+ | Lending | $1.2B | History of severe incidents: $200M+ XVS price manipulation cascade (2021), $100M+ bad debt from BNB bridge hack (2022), and a March 15, 2026 donation attack extracting $3.7M via supply cap manipulation (attacker accumulated 12.2M THE tokens over 9 months to bypass supply limits) | ▲ 1 |
| 55 | | B | C+ | Yield | $1.1B | Vault curator model introduces principal-agent risk — curators allocate capital across DeFi strategies on behalf of depositors | ▲ 3 |
| 56 | | B- | D+ | Liquid Staking | $1.1B | Multi-LST Infinity pool aggregates risk from all supported LSTs; a single LST depeg can poison the entire pool through arbitrage-driven toxic asset accumulation | ▲ 3 |
| 57 | | C+ | C | RWA | $1.0B | Franklin Templeton (transfer agent) retains unilateral power to freeze, clawback, and restrict BENJI token transfers on all nine blockchains — tokens are not censorship-resistant | ▲ 1 |
| 58 | | B- | C+ | Yield | $1.0B | Multi-strategy vaults deploy capital across Aave, Curve, Morpho, and EigenLayer simultaneously; hidden correlations between strategies mean diversification benefits evaporate during systemic DeFi stress events | — |
| 59 | | B- | C | L1 | $1.0B | Bridge dependency — checkpoints to Ethereum create a trust assumption and potential attack vector; the PoS Bridge secures over $1B in locked assets with a validator multisig | → 0 |
| 60 | | C+ | C+ | DEX | $1.0B | Admin key compromise led to $4.4M exploit in Dec 2022, exposing centralised control over pool parameters | ▲ 1 |
| 61 | | C+ | C | Liquid Staking | $1.0B | BTC custody risk: Lorenzo holds custodied Bitcoin on behalf of stakers — a custody provider failure or hack would result in permanent BTC loss for stakers | ▲ 5 |
| 62 | | C+ | B- | Lending | $946M | Rehypothecation in vaults creates cross-vault contagion risk despite initial 'zero contagion' marketing claims — Jupiter COO acknowledged in December 2025 that 'very limited' contagion risk exists | → 0 |
| 63 | | B- | C | Liquid Staking | $939M | osETH overcollateralisation model means validators bear first-loss risk — slashing or poor performance directly erodes their position before osETH holders | — |
| 64 | | B | B | Liquid Staking | $901M | JitoSOL's MEV tip distribution depends on >95% of Solana validators running the Jito client, creating systemic centralization risk for the network | — |
| 65 | | B+ | B | DEX | $896M | Sandwich attacks exploit constant-product AMM with 90% of blocks vulnerable to front-running | ▲ 1 |
| 66 | | B- | D+ | RWA | $864M | Over 90% of reserves held in a single asset (BlackRock BUIDL), creating deep concentration risk on one tokenized treasury fund | → 0 |
| 67 | | B- | D- | RWA | $843M | Fully centralized operations — WisdomTree controls all minting, redemption, and transfer allowlisting with no on-chain governance | ▲ 4 |
| 68 | | B- | D- | Liquid Staking | $841M | dzSOL launched in January 2025, making it approximately one year old. Despite rapid growth to 13.2M SOL staked ($1.1B), the protocol has limited track record through different market conditions (no bear market test, no major stress event). Early-stage liquid staking tokens carry higher smart contract risk than established alternatives. | — |
| 69 | | B- | C- | Liquid Staking | $814M | Kinetiq holds 82.5% market share in Hyperliquid liquid staking, creating single-point-of-failure concentration risk for the entire Hyperliquid staking ecosystem. | — |
| 70 | | C+ | D- | Liquid Staking | $804M | Centralized custody: all staked SOL is managed by Binance validators, creating a single-entity dependency for ~$712M in assets | — |
| 71 | | B- | C+ | DeFi | $795M | Chainlink Labs retains significant centralized control over network operations, including node operator selection and staking pool parameters, though the network has operated reliably for 7+ years under this model and a decentralization roadmap is in progress. | → 0 |
| 72 | | B | B- | Liquid Staking | $784M | jupSOL is delegated primarily to Jupiter's own validator running the experimental Frankendancer client, creating concentration and software risk | — |
| 73 | | B- | D | RWA | $757M | BCAP is a tokenized venture capital fund where the underlying portfolio consists of illiquid blockchain startup investments. NAV is determined by periodic fund valuations rather than real-time market pricing, creating potential for stale or inaccurate pricing between valuation events. | ▲ 2 |
| 74 | | C | C+ | RWA | $755M | Tokenized equities depend on off-chain broker-dealer custody — Oasis Pro Markets insolvency or regulatory action would freeze all token redemptions | — |
| 75 | | C | D+ | Liquid Staking | $750M | LBTC's 1:1 BTC backing depends entirely on Babylon's Bitcoin staking security; any slashing event or Babylon exploit directly depegs LBTC across all 15 integrated chains | — |
| 76 | | C | D+ | Restaking | $750M | LBTC depends on Babylon's nascent BTC staking infrastructure which has no proven slashing enforcement mechanism yet | ▲ 5 |
| 77 | | C+ | C | Liquid Staking | $700M | Institutional node operator concentration (Coinbase, Kraken, Figment, Blockdaemon, Staked) creates correlated regulatory risk; SEC enforcement against any operator could cascade to validator shutdowns and LsETH yield failure | — |
| 78 | | C+ | C- | DeFi | $700M | CeDeFi hybrid model depends on centralized custody (CEFFU/Binance) remaining solvent and accessible; LCTs (Liquidity Custody Tokens) become worthless if CeFi custodian fails, combining centralized custody risk with decentralized protocol exposure | → 0 |
| 79 | | C+ | B | Derivatives | $690M | JLP holders are the counterparty to all perp traders — during trending markets, the pool can suffer significant directional losses | → 0 |
| 80 | | B- | B | DEX | $663M | Permissionless hooks execute arbitrary code on every swap, enabling novel attack vectors with 36% of analyzed hooks found potentially vulnerable | ▲ 2 |
| 81 | | B- | D- | RWA | $659M | Centralized mint/redeem gating via allowlist means Superstate can freeze or deny redemptions at will | — |
| 82 | | B- | C- | Liquid Staking | $651M | mETH is operated by Mantle, creating concentration risk around the Mantle ecosystem. If Mantle faces governance issues, regulatory action, or operational failures, mETH holders are directly exposed. | — |
| 83 | | B- | C | Yield | $641M | Convex controls ~50% of veCRV voting power, creating systemic Curve governance centralization risk | → 0 |
| 84 | | B- | C- | Liquid Staking | $588M | slisBNB commands ~50% of BNB Chain staking market share, creating unprecedented concentration risk for the chain's validator set and security model | — |
| 85 | | B- | C | Lending | $550M | Extreme TVL growth (1,000% YTD to $4.5B across Lista DAO) means the lending markets are largely untested under sustained bearish conditions | → 0 |
| 86 | | C+ | C- | Lending | $550M | Systemic concentration risk: Lista DAO controls nearly 50% of BNB Chain's entire staking market with 12M+ BNB staked, creating a single point of failure for the chain's security and liquidity | ▲ 1 |
| 87 | | C+ | C+ | L1 | $550M | Sui validators demonstrated the ability to freeze $162M in stolen funds within hours during the May 2025 Cetus exploit — a recovery success, but also proof that a coordinated supermajority of validators can censor arbitrary addresses, undermining the censorship-resistance claim. | → 0 |
| 88 | | C+ | C- | DeFi | $542M | Governance was compromised in May 2023 when an attacker used a malicious proposal with hidden SELFDESTRUCT/CREATE2 logic to grant themselves 1.2M votes, exceeding the legitimate 700K votes. The attacker later returned control, but the attack vector demonstrated that DAO proposal auditing is insufficient to prevent governance takeover. | — |
| 89 | | D+ | D+ | L1 | $534M | Aster Chain launched mainnet in March 2026 with no public specification of its ZK proving system, VM architecture, or consensus mechanism, and no L1-specific audit has been completed. The $298M in TVL sits on unverified infrastructure — a critical bug in the ZK circuit could allow fraudulent state transitions that drain user funds without detection. | → 0 |
| 90 | | B+ | D- | DEX | $516M | Multi-chain expansion across Polygon, Base, Somnia, and other EVM chains introduces cross-chain composability risk and increases attack surface across different security models. | — |
| 91 | | C | C+ | Lending | $516M | History of $197M flash loan exploit in March 2023 (funds recovered) demonstrates protocol-level vulnerability precedent | → 0 |
| 92 | | C+ | D+ | L2 | $511M | Optimism's sequencer remains fully centralized, operated solely by OP Labs with no decentralized fallback or concrete timeline for decentralization. Multiple sequencer outages occurred in 2025 (August and November), confirming this as a live operational risk rather than a theoretical concern. During downtime, users cannot submit transactions and must wait ~12 hours to force-include via L1. | ▲ 1 |
| 93 | | C+ | C+ | Yield | $500M | BTC delta-neutral strategy depends on perpetual funding rates being positive — in bear markets, negative funding drains yield and can erode principal | ▲ 5 |
| 94 | | C+ | D | Restaking | $478M | Permissionless vault creation allows uncurated risk exposure to poorly configured slashing conditions | ▼ 2 |
| 95 | | C+ | C- | L2 | $473M | Kraken operates the sole sequencer, meaning regulatory action against the exchange — such as OFAC sanctions, DOJ enforcement, or operational suspension — could halt block production on Ink for up to 12 hours before users can bypass via Ethereum L1 forced inclusion. The SEC dropped its 2023 exchange-operation lawsuit against Kraken in March 2025, but Kraken remains subject to ongoing regulatory oversight as a licensed US exchange. | — |
| 96 | | B- | C- | DeFi | $451M | Oracle manipulation risk via UMA resolution system enables incorrect market settlements, potentially causing $50M+ losses in a single high-volume market and destroying platform credibility | — |
| 97 | | B- | C- | Bridge | $437M | Threshold cryptography relies on a group of randomly selected node operators to custody deposited Bitcoin. If a sufficient threshold of operators is compromised or colluding, BTC could be stolen, though the random selection and threshold requirement mitigate single-point-of-failure risk. | — |
| 98 | | C+ | C | Yield | $431M | Automated vault strategies allocate across 7+ DeFi protocols (Aave, Morpho, Pendle, etc.), compounding smart contract risk from each underlying integration | ▼ 2 |
| 99 | | C | B | Derivatives | $410M | HLP vault automatically inherits liquidated positions, including illiquid tokens where market manipulation can force the vault to absorb outsized losses — as demonstrated in the March 2025 JELLY incident where the vault faced $12M in unrealized losses. | → 0 |
| 100 | | B- | D | Yield | $403M | Cross-protocol composability — CIAN strategies operate across multiple DeFi protocols (Aave, Compound, Curve, Lido) simultaneously. A vulnerability or state change in any underlying protocol can cascade through active strategy vaults. | — |
