Anchor PD
Asset Quality
Assesses the creditworthiness and stability of the reserves, underlying assets, or strategies supporting an asset's value. The methodology captures three risk dimensions: market risk, credit risk, and liquidity risk.
Four evaluation techniques apply based on reserve composition. Direct Rating is used when reserves are themselves independently rated assets. Market Proxy uses public credit ratings to quantify the risk of traditional reserve assets such as U.S. Treasury Bills. Monte Carlo Simulations model alternative-asset structures (typically crypto collateral in collateralized debt positions) using asset volatility, loan distributions, liquidation triggers, and market liquidity. Structural Credit Modeling via a Black-Cox variant of the Merton Model is applied to active investment strategies, treating excess reserves over redemption value as a barrier option on reserve asset value.
| Technique | Reasoning | Evidence |
|---|---|---|
| Direct Rating | When the reserve is itself a separately rated token, the underlying token's PD propagates directly into the assessment, avoiding duplicate modeling of an already-priced risk. | Applies to assets whose reserves include other rated assets (e.g., BlackRock BUIDL, Ondo OUSG, Ethena USDe). Mirrors how credit rating agencies treat funds-of-funds or tokenized money market wrappers. |
| Market Proxy | Traditional reserve assets carry externally observable, agency-published cumulative default probabilities. Weighting these published PDs by reserve composition uses the same data institutional credit analysts already rely on, rather than substituting analyst judgment for it. | Financial firms and agencies publish cumulative default rates by rating tier and tenor (e.g., Moody's Annual Default Study). These rates underpin the credit risk assessment of U.S. Treasury Bills, repo, commercial paper, and bank deposits used as stablecoin reserves. |
| Monte Carlo Simulations | DeFi CDP structures have path-dependent default profiles: liquidation mechanics, slippage, and reflexive collateral price impact mean headline collateralization overstates true coverage under stress. Forward path simulation captures the non-linear interaction of asset volatility, LTV distribution, liquidation triggers, and market depth that a static ratio cannot. | MakerDAO's March 12, 2020 "Black Thursday" auction failure — where keeper bots failed to clear liquidations as ETH dropped >30% in hours, producing $5.7M of bad debt — is the canonical reference for crypto-collateral liquidation mechanics under stress. Iron Finance (June 2021), Mai Finance, and other CDP impairments reinforce the path-dependent nature of alternative-asset insolvency. |
| Black-Cox Merton Model | Active-strategy stability depends on continuous strategy performance against a redemption barrier. The early-default barrier formulation captures the reality that stablecoin defaults occur through continuous redemption pressure rather than discrete maturity settlement. | Built on the Merton and Black & Cox academic credit-risk frameworks originally developed for structural modeling of corporate default. UST's May 2022 collapse and Resolv USR's March 2026 impairment both follow the barrier-option dynamic: a continuous strategy buffer breaches, triggering default before any individual obligation matures. |
Custody Risk
Evaluates the reliability of the structures safeguarding underlying assets, covering both the financial and operational risks of centralized custodians and the exploit probability of smart contract custody mechanisms.
Depending on the asset type, custody will fall in one of two categories:
Centralized custody starts from an entity-type Anchor PD and applies adjustments for bankruptcy remoteness, asset segregation, charter type, insurance coverage, and operational maturity. The factor hierarchy is explicit: bankruptcy remoteness and asset segregation carry more weight than insurance, maturity, or charter type alone.
| Entity tier | Reasoning | Evidence |
|---|---|---|
| G-SIB or federally chartered bank | Statutory bank or trust charter confers the strongest fiduciary duties, legally-mandated segregation, and the strongest presumption of bankruptcy remoteness. Capital buffers, supervisory oversight, and observable financials anchor the lowest PD because client-asset protection is embedded in law rather than contract. | Decades of bank-failure data from Moody's, S&P, and the FDIC anchor the annual default rate of federally chartered G-SIBs in the 0.01–0.05% range. Examples include BNY Mellon, State Street, and J.P. Morgan custody. Basel framework resolution guidance underpins the regulatory floor. |
| Rated trust bank | Trust-style custody authority with externally-audited financials provides a strong anchor. Regulatory protections sit below the statutory bank tier and depend on charter scope, so custody-specific notches still carry information. | Examples: Anchorage Digital (federally chartered trust), Standard Custody, Paxos Trust Company. Default rates are tracked by rating agencies; fiduciary obligations are codified in state and federal trust law. |
| Regulated crypto custodian (NYDFS, equivalent) | Real but partial protection: licensed and substantively regulated, but protections are regulatory or contractual rather than statutory, bankruptcy remoteness is not automatic, and financial transparency is weaker than that of chartered banks. | NYDFS BitLicense and equivalent regimes have produced operating histories of 5–10 years. Capital requirements typically sit at <$10M paid-up versus multi-billion-dollar requirements for G-SIBs. Examples: Coinbase Custody, Fireblocks, Gemini Custody. |
| Unlicensed or unregulated VASP | Custody authority is contractual or registration-based only; fiduciary duties are weak, and asset segregation and bankruptcy remoteness depend on engineered structures rather than statute. | Prime Trust (2023) is the textbook failure: it collapsed because of legal disputes over which assets belonged to clients versus the firm, despite operational controls being in place. The root cause was lack of bankruptcy-remote structuring. Cred (2020) and Voyager (2022) follow the same pattern. |
Smart contract custody is evaluated using the same on-chain factors captured under Audit Quality and Contract Maturity, applied specifically to the custody implementation.
Audit Quality
Analyzes the frequency and scope of completed smart contract audits, the credibility of the auditors, and the size and structure of any bug bounty programs. Contract complexity influences the weight of the metric.
Weighted scoring combines audit quality, contract maturity, audit quantity, and bug bounty design. Audit quality dominates because what matters is whether the right attack surface was reviewed and whether findings were fixed in the currently deployed code, not how many reviews were done. Bug bounty programs are evaluated for size and structure, with publicly known programs scaled to TVL signalling mature post-launch security posture.
| Tier | Reasoning | Evidence |
|---|---|---|
| Formal verification on critical paths and multiple top-rated audits | Combines methodological diversity (manual review, symbolic analysis, formal verification) with proof of invariant preservation — asset conservation, solvency, mint/burn correctness — that line-by-line review systematically misses. Recency matches the deployed bytecode and remediation is verified. | Halborn's Top 100 DeFi Hacks (2016–2023) found audited protocols accounted for only 14.3% of value lost. A British Accounting Review study of 316 large DeFi protocols (2024) confirmed higher-quality auditor coverage correlates with higher TVL. Formal verification has been applied at MakerDAO core, Compound v2, and Tornado Cash. |
| Multiple standard audits with established bug bounty | Several independent reviewers cover the core attack surface with reasonable scope and remediation, supplemented by a standing post-launch incentive for external researchers to disclose residual vulnerabilities. Falls short of the top tier where methodological diversity or formal proof of economic invariants is absent. | Modal population across mainstream DeFi protocols, consistent with the bulk of the CertiK and Halborn datasets. Examples: Aave V3, Compound V3, major DEX protocols. Bug bounty programs scaled to TVL (Immunefi listings of $1M–$10M+) signal mature post-launch security posture. |
| Single audit or narrow coverage | One review or narrowly-scoped coverage leaves entire vulnerability classes — input validation, accounting paths, upgrade safety, integration surfaces — un-tested, with no diverse second opinion to catch what the first methodology systematically misses. | Wormhole had approximately 29 audits at the time of its $326M exploit (February 2022); Euler was reviewed six times before its $197M hack (March 2023); Beanstalk's auditor explicitly noted the exploited code was never in scope. Audit count without scope coverage carries no predictive value. |
| Unaudited or newly deployed | No independent third party has examined the deployed bytecode for known vulnerability classes; the protocol relies entirely on internal review. | CertiK Hack3d 2024 identified $2.36B lost across 760 incidents, with unaudited and newly deployed protocols heavily over-represented in the loss distribution. PancakeBunny (May 2021, $45M), Cashio (March 2022, $52M), and dozens of smaller pre-launch exploits anchor this tier. |
Contract Maturity
Assesses the duration and performance history of deployed smart contracts as an indicator of exploit risk and protocol stability.
Time deployed without material modification is the primary input. Maturity scoring tapers as a function of deployment age. Material upgrades reset the maturity clock: a long-deployed contract that undergoes an unaudited core upgrade is assessed against the upgrade date, not the original deployment.
| Tier | Reasoning | Evidence |
|---|---|---|
| 60+ months | Bytecode has been continuously scrutinized across multiple complete market cycles by users, integrators, competitors, white-hats, and adversarial actors. Surviving this exposure window is the strongest available evidence that obvious and many subtle vulnerability classes have been surfaced and patched. | MakerDAO core (deployed November 2017), Uniswap V2 (May 2020), Compound v2 (May 2019), and Lido stETH (December 2020) have all survived multiple cycles without core protocol exploit. Lindy effect is supported by survival analysis across the documented hack record. |
| 36 to 60 months | Has weathered at least one complete market cycle, including expansion, contraction, and macro stress regimes, providing meaningful but not exhaustive evidence of resilience. | Aave V3 (deployed March 2022), Compound III (August 2022), and GMX v2 (August 2023) sit within this band as of mid-2026. Each has weathered the 2022–2023 bear market and the 2023 banking crisis without core protocol exploit. |
| 18 to 36 months | Track record exists across multiple stress regimes but has not been tested through a full cycle, leaving residual uncertainty about behavior under conditions not yet observed. | Newer LST protocols (Renzo, Kelp, Puffer) and curator-backed lending markets (Morpho Blue) sit here, with track record across the 2024 DeFi summer and 2025 rate-cycle stress but not full bear-market exposure. |
| 6 to 18 months | Past the infant-mortality period but not deeply battle-tested; the post-deployment window during which initial vulnerabilities and integration assumptions are most likely to be exploited remains partially open. | Recently launched LRTs, active-strategy stablecoins in their first year, and newer L2 deployments. Beanstalk's exploit at month 8 ($182M), Wormhole's at month 7–8 ($326M), and Euler's roughly 8 months after a critical function was added all illustrate residual risk in this window. |
| 0 to 6 months | Highest-risk deployment period: real liquidity, integrations, and adversarial attention are not yet fully priced into the bytecode. | Concentration of the documented loss record sits here. Wormhole (~7–8 months from launch), Ronin (~5–6 months), Beanstalk (~8 months), Nomad (~4–6 months), and Cashio (~3 months) all fall within or just past this window. |