Credora rates DeFi lending markets by starting with onchain data, running 100,000 Monte Carlo simulations per market across five independent risk factors, and producing a Probability of Significant Loss (PSL) and a letter grade. This article explains each step.
If a vault has a PSL of 3%, that means in 3 out of 100 simulated years, under historical market conditions, a depositor would have lost more than 1% of principal. The letter grade maps directly to that number.
Why a DeFi vault needs its own rating methodology
Traditional credit rating methodology assumes audited financial statements, enforceable legal contracts, and management disclosure. DeFi lending markets have none of these. What they have is onchain data: every liquidation, every oracle update, every price shock recorded publicly and permanently.
Credora’s methodology treats this data as the primary input and builds a probability model from protocol behavior rather than from disclosed financials. The five risk factors below cover the independent failure modes that onchain data captures.
The five risk factors
Smart contract risk
Smart contract risk is the probability that the code governing a vault introduces losses through a bug, an exploit, or an upgrade. It is modeled as a probability distribution shaped by code complexity, audit coverage, upgrade mechanisms, and time in production.
Smart contract risk is a probability distribution, not a binary pass or fail based on audit completion. A protocol with multiple completed audits can still carry meaningful risk if the codebase is complex, upgrade paths are open, or the contract is recent. Time in production under real capital is a significant input: a contract that has processed billions in volume for two years earns a different distribution than one deployed three months ago.
Liquidity risk
Liquidity risk measures how much collateral can be sold, at what price, if a vault needs to liquidate positions quickly.
The key dynamic is that asset liquidity is not a fixed property. An asset may be liquid in normal conditions and effectively illiquid during market stress, when multiple vaults attempt to liquidate the same collateral simultaneously and order books thin out. Credora models liquidity under stress conditions drawn from the historical distribution of correlated market shocks, not from average-day trading volume.
Oracle risk
A vault prices its collateral using an oracle. Oracle design determines whether that price is accurate during stress events. Fixed-price oracles maintain a constant valuation regardless of market conditions. Market-based oracles aggregate prices across multiple sources in real time. Each design carries a distinct risk profile, and Credora’s methodology models the specific oracle configuration of each market being rated.
The Euler Finance hack in March 2023 illustrates the failure mode: complex interactions between price feeds and lending parameters resulted in $197 million in losses despite completed audits.
Counterparty risk
Counterparty risk captures exposure to third-party entities whose failure causes losses regardless of what happens onchain: token issuers who may halt redemptions, custodians holding underlying assets, and protocol teams with administrative control over contracts.
A vault holding tokenized T-bills may have sound smart contracts and liquid underlying assets. Its rating still reflects the risk the issuer’s off-chain operations introduce: custodial arrangements, redemption windows, and legal enforceability under stress.
Collateral quality
Collateral quality captures the nature of the assets backing a lending market. DeFi vaults today hold T-bills, private credit, stablecoins, and equity-linked products, each with different liquidity profiles, valuation methods, and redemption mechanics.
T-bills settle in one business day and mark to market continuously. Private credit may lock capital for months and relies on model-based valuation. Stablecoins carry their own structural risk, from collateral composition to redemption mechanism design. The collateral quality factor models these differences explicitly.
The Monte Carlo process
Each market runs 100,000 simulations drawn from the historical distribution of price movements, liquidity conditions, and correlated market shocks for that market’s specific collateral set. The five risk factors are modeled independently, then combined into a joint loss distribution.
PSL is the proportion of simulations where loss exceeds 1% of principal over a one-year horizon. A market where 5,000 of 100,000 simulated years produced a loss above that threshold has a PSL of 5%. The letter grade maps PSL to a defined scale from A+ to D. Lower PSL, higher grade. The specific thresholds for each grade are in What is PSL?.
For a full explanation of what the output represents in practice, see What is a DeFi risk rating?.
Key takeaway
Credora’s DeFi risk assessment methodology starts with onchain data, models five independent risk factors (smart contract, liquidity, oracle, counterparty, and collateral quality), and runs 100,000 Monte Carlo simulations per market. The output is PSL: the annualized probability of losing more than 1% of principal. PSL drives the letter grade. Each factor and each simulation parameter maps to observable protocol behavior.
Frequently asked questions
How does Credora get its data for a DeFi risk assessment?
Credora uses onchain data as the primary input: transaction history, oracle price feeds, liquidation records, collateral price distributions, and smart contract parameters. For counterparty risk, this is supplemented with off-chain information about issuers and custodians where relevant.
Why 100,000 simulations per market?
Monte Carlo methods produce more accurate probability estimates as simulation count increases. At 100,000 simulations, the PSL estimate is stable: running the model again produces the same result within a negligible margin. Fewer simulations introduce variance that can meaningfully shift a rating at the boundaries between letter grades.
Does the methodology change when a vault’s collateral changes?
Yes. Credora updates ratings when material changes occur in a vault’s collateral composition, oracle configuration, or smart contract parameters. Each update re-runs the full 100,000-simulation model with the new configuration.
Ratings and data provided are for informational purposes only. Not investment advice or a solicitation to buy or sell assets. Always conduct your own due diligence. Credora does not guarantee the completeness or real-time accuracy of any information provided. A full disclaimer is included in each risk assessment report published at https://www.credora.network/reports/.
