Risk Assessment Framework

Explore Notum's DeFi Risk Assessment Framework, empowering crypto risk management for decentralized investments in the Web3 ecosystem.


Decentralized Finance (DeFi) represents a substantial improvement over the existing system of transferring value. One of the key innovations in DeFi is Decentralized Exchanges (DEXes), which facilitate seamless asset exchange. Over time, a variety of tools have rapidly emerged on top of DEXes, primarily designed to optimize DeFi processes. These tools offer users an efficient means of utilizing their funds, contributing to ecosystem maintenance while generating passive income for providers.

While there are many similarities between a decentralized financial system and a centralized one, the absence of a centralized authority is the main distinguishing feature that makes the decentralized system vulnerable to misconduct by involved parties, such as bad actors or malicious users. The rising number of hacks and exploits highlights the need for a risk assessment system that can be used by retail users, who are typically the most affected in such situations. With this in mind, we have decided to develop a tool for preliminary risk assessment for DeFi investments, believing that this could be a significant step towards broader adoption of Web3.

Notum Risk Assessment Framework

At Notum, our goal is to visualize all potential risks for users, enabling them to make more informed decisions and continuously optimize their portfolios without depending on a single protocol or entity. The Notum Risk Assessment, which we introduce in this methodology, should not be seen as the sole and final tool for measuring risk. The primary purpose of this system is to establish a simple and transparent mechanism for swift risk assessment, providing a preliminary evaluation that considers factors generally regarded as important

Notum holds the belief that risk is not a fixed or straightforward concept, but rather one that is dynamic. Risk can originate from various sources and have an impact on multiple aspects of a DeFi project. It evolves over time in response to external events.

Furthermore, we acknowledge that risk exists objectively and can be measured and quantified, but it is influenced by how users perceive and evaluate it. Risk cannot be disregarded; instead, it must be acknowledged and dealt with. Therefore, it is crucial to employ a rigorous standard when assessing risks in DeFi.

Notum's risk assessment framework (RAF) comprises three key elements: protocol risks, asset risks, and pool risks associated with a specific strategy.

  • Protocol risks: all risks related to vulnerabilities of the protocols. These risks are fundamental as they cover all the investment options provided by this protocol, thus it should be considered when assessing the risk of any single investment provided by the protocol.

  • Assets risks: risk that stems from assets that are involved in the strategy. We calculate the risk of all assets that are used in the strategies that are displayed on the platform. If there are several assets involved in the strategy the average of these assets is used for calculating the overall investment risk.

  • Pool risks: risks that stem from the details of the pool. Such as Liquidity in the pool, Impermanent loss, and blockchain details, which are used to host the pool. All these details are used to assess the risk of the pool.

Risk Levels

There are 3 risk levels and 6 different risk grades that you will find on the Notum Platform: A, B, C, D, E, and F.

  • A and B grades refer to good, low-risk investments;

  • C and D grades refer to average investments that might have several drawbacks or minor issues with some of the components;

  • E and F refer to risky investments, which might have some significant issues.

Protocol Level Risks

The following risks arise directly from the protocol and its inherent vulnerabilities, requiring a comprehensive and multidimensional analysis. Notum’s methodology assesses the protocol's security posture by examining six crucial factors, each holding an equal weight of ⅙ in the overall evaluation.

Protocol Audits

The number of audits a protocol has undergone is a crucial factor in assessing its security. Zero audits imply a high risk due to the lack of external review. One audit suggests a medium risk, while two or more audits from different teams signify a low risk, indicating that the protocol's code has undergone thorough examination.

Protocol Audits in the Last 2 Years

This metric focuses on the recency of the protocol audits. The absence of audits in the past two years denotes a high risk, one audit suggests a medium risk, and two or more audits from different teams in this timeframe are indicative of a low risk.

Protocol’s Exploits

This quantifies the protocol's historical vulnerability to hacks and exploits. Two or more hacks result in a high-risk rating, one hack is a medium risk, and no hacks indicate a low risk.

Protocol’s Exploits for Current Version

This metric specifically examines the security of the protocol's latest version. Like the previous metric, two or more hacks result in a high-risk rating, one hack is a medium risk, and no hacks imply a low risk.

Protocol’s Maturity

This parameter inspects the protocol's historical performance and duration on the mainnet, serving as an indicator of its reliability and robustness. A protocol that has successfully operated for more than two years is deemed low-risk, proving its efficacy and resilience across various scenarios. A lifespan of over one year but less than two falls into the medium risk bracket, while a protocol in operation for less than a year is categorized as high-risk for potential investors.

Protocol’s Liquidity (TVL)

The trust and confidence users place in a protocol are directly correlated with the amount of capital they're willing to deposit into it, quantified by the Total Value Locked (TVL).

This metric represents the summation of assets secured in the protocol's smart contracts. A higher TVL suggests a lower risk of the protocol being abandoned or exploited, with protocols boasting a TVL exceeding 100,000,000 USD considered low-risk.

Conversely, a TVL below 10,000,000 USD indicates a high-risk protocol characterized by insufficient aggregate liquidity. Any TVL falling between these thresholds is classified as a medium risk.

Assets’ Level Risks

In our ongoing commitment to provide the highest standard of risk assessment for assets, we have integrated Certik Skynet's risk assessment scores into our evaluation process. Certik, our esteemed audit partner, offers a robust and comprehensive risk assessment through their Skynet platform. By leveraging Certik's expertise, we ensure a reliable and objective evaluation of asset risks.

For assets that are not yet assessed by Certik Skynet, we utilize framework to calculate the risk score. This dual approach allows us to maintain consistency and accuracy in our assessments, ensuring that all assets, regardless of their Certik Skynet status, are thoroughly evaluated.

These risks are inherent to the assets employed in investment strategies. This risk category conducts a comprehensive evaluation, starting with the market capitalization of the assets to gauge their popularity and extent of usage.

It meticulously measures the assets' volatility, taking into account their unique characteristics. Additionally, this group scrutinizes the intrinsic value or collateralization of assets and delves into the potential risks embedded in the assets' smart contracts.

Asset’s Market Capitalization

This score is a reflection of the asset’s market size and its establishment, derived from its total market capitalization.

Market cap, as a crucial metric, indicates the combined value of the asset's circulating supply, calculated by multiplying the asset's current price by its circulating units. The asset’s market cap is directly proportional to its popularity, demand, and liquidity, further providing insights into its potential trajectory of growth or decline. Generally, a higher market cap is synonymous with a lower risk of illiquidity or instability.

For assets with a market cap below 100 Million USD, the risk is deemed high. Conversely, a market cap exceeding 1 Billion USD is indicative of a low-risk asset. Any value between these two extremes is categorized as having medium risk.

*for this type of investment we include a moderate risk level which constitutes 80% to make a risk assessment more accurate.

Asset’s Volatility

This parameter refers to the asset's price fluctuations, crucial in ascertaining the safety associated with possessing the asset. Should the asset exhibit significant price fluctuations exceeding 100% within a week over the past year, it is labeled high risk.

On the other hand, if the fluctuations are contained within 50% of the asset's price in a similar timeframe, the risk is low. Any deviation between these two benchmarks is assigned a medium risk grade.

In the case of stablecoins, the rules diverge. A fluctuation beyond 1% earmarks the stablecoin as high risk, while a variation below 0.1% is classified as low risk. Anything in between these two thresholds is deemed a medium risk.

Asset’s Intrinsic Value

This risk parameter evaluates the asset's value based on its intrinsic use case or collateralization. Intrinsic value refers to the value an asset derives from its inherent properties or utility, such as its role as a native token within a blockchain or a protocol.

On the other side, an asset can be collateralized, implying that its value is secured or redeemable by another asset, like synthetic tokens, stablecoins, liquid staked tokens, or others.

A higher degree of intrinsic value or over-collateralization significantly diminishes the risk of the asset losing its value or becoming obsolete. Assets that serve as native tokens within a blockchain boast a high intrinsic value since they are integral to transactions, staking, and governance processes. Consequently, these assets are labeled as low risk.

Similarly, assets that function as native governance tokens within a protocol derive their intrinsic value from their utility in staking, fee coverage, or other functionalities, placing them in the medium risk category.

For assets that are not native tokens but are fully collateralized, the risk of liquidation is mitigated, thus conferring a medium risk status. Conversely, assets that lack full collateralization bear a high-risk grade and are susceptible to potential default risks.

Asset’s Code Quality

This metric critically assesses the asset's code quality, pinpointing potential vulnerabilities that may exist within the contract itself. This assessment spans three essential fields: Asset Owner, Liquidity, and Contract Parameters.

Should the asset demonstrate impeccable code integrity with zero potential risks identified, it earns a low-risk grade. However, if one to two potential concerns arise across these three pivotal fields, the asset is assigned a medium risk status. Conversely, the unearthing of three or more potential issues catapults this parameter into the high-risk category.

Pool Level Risks

Here are the risks that emerged from the details of the pool: Liquidity in the pool, Impermanent loss, and Blockchain details, which are used to host the pool. All these details are used to assess the risk of the pool.

Pool’s Total Value Locked (TVL)

The trust and confidence users place in a pool are directly correlated with the amount of capital they're willing to deposit into it, quantified by the Total Value Locked (TVL).

This metric represents the summation of assets secured in the protocol's smart contracts for a particular pool. A higher TVL suggests a lower risk of the protocol being abandoned or exploited, with protocols boasting a TVL exceeding 10,000,000 USD considered low-risk.

Conversely, a TVL below 1,000,000 USD indicates a high-risk protocol characterized by insufficient aggregated liquidity. Any TVL falling between these thresholds is classified as a medium risk.

*for this type of investment we include a moderate risk level which constitutes 80% to make a risk assessment more accurate.

Impermanent Loss

This risk parameter checks if the pool is subject to impermanent risk, which is the loss of value that occurs when the price ratio of the assets in the pool diverges from the initial ratio.

If the pool is not exposed to impermanent loss then it has a low risk grade, if it is exposed to impermanent loss then it has a medium risk level.

Blockchain Maturity

This risk type evaluates how battle-tested is. This risk parameter evaluates how long the blockchain has been live on the mainnet without any major issues or incidents.

An immature blockchain could have unresolved issues or vulnerabilities that could compromise its performance and security in the future. If the blockchain is live for more than 2 years then it is graded low risk, if it is live for less than a year, then it has a high risk level grade. Anything in between these is graded as medium.

Blockchain Reliability

This risk parameter measures the blockchain’s reliability by evaluating how many times the network has halted over the last year. A network halt is an event that causes the blockchain to stop producing new blocks or validating transactions.

If there were no halts in the last year, then this parameter is considered as low risk, if there were 1 or 2 halts then it has a medium risk grade. If there have been 3 or more then this parameter gets a high-risk grade.


Concluding our in-depth exploration of DeFi and Notum's innovative Risk Assessment Framework, this guide serves as a vital resource for navigating the dynamic and complex world of decentralized finance. Whether assessing the nuances of staking crypto or understanding the essentials of risk management in crypto investments, Notum provides the tools and insights needed for informed decision-making. With a focus on protocol, asset, and pool risks, and an understanding of good risk-reward ratios, our comprehensive guide empowers both new and seasoned investors to optimize their strategies in the ever-evolving crypto landscape.

Is There a Risk to Staking Crypto?

Staking crypto involves several risks, notably including validator risks, where the staked assets might be penalized if the validator fails to perform its duties correctly, and platform risk, which relates to the security and stability of the staking platform itself.

What is Risk Management in Crypto?

Risk management in crypto involves identifying, assessing, and mitigating risks associated with cryptocurrency investments. This includes strategies like diversification, setting stop-loss orders, understanding asset volatility, staying informed about market trends, and employing security measures against theft and fraud.

What is a Good Risk-Reward Ratio in Crypto?

A good risk-reward ratio in crypto depends on an investor's risk tolerance and investment strategy. Generally, a ratio of 1:3 or higher is considered favorable, meaning the potential reward is at least three times the potential risk. However, more conservative investors might prefer a higher ratio, while risk-tolerant traders might accept lower ratios for higher potential returns.

Does Staking Crypto Have Risk?

Yes, staking crypto carries risks, including market risk, liquidity risk, and smart contract risk. Market risk involves the volatility of the staked asset's value, liquidity risk pertains to the ease of converting staked assets back to liquid funds, and smart contract risk refers to potential vulnerabilities in the staking protocol's code.

Does Notum Provide Tailored Risk Assessments for Different Types of DeFi Investors?

Notum's RAF is designed to cater to a diverse investor base, providing detailed risk assessments that can be interpreted and utilized according to individual investment strategies and risk tolerances.

How is Impermanent Loss Risk Assessed in Notum's Framework?

Impermanent loss and other pool-specific risks are assessed through a thorough examination of liquidity dynamics, pool composition, and the underlying blockchain's performance and stability.

Last updated