risk analysis
How to Evaluate a DeFi Protocol Before Depositing
A practical due-diligence checklist used by every careful DeFi user. Covers audits, governance, TVL trends, and the questions that actually matter.
2026-05-13
TL;DR
- Audit count and recency matter, but a single recent audit by a top firm beats five old audits by unknowns.
- TVL trend tells you if other people are leaving, and they usually know something.
- Read the governance setup. A protocol controlled by one wallet is one compromised key away from total loss.
Why this matters more than picking the highest APY
The highest-APY pool is almost always either (a) a brand-new protocol with no track record, (b) inflating a worthless governance token, or (c) carrying a risk the market has priced in. Choosing pools by APY alone, without evaluating the protocol underneath, is how DeFi users lose money.
This article walks through the seven questions we’d ask before depositing into any protocol we hadn’t used before. It’s not exhaustive (institutional users have longer checklists), but it covers 80% of the actual risk.
1. How long has the protocol been running?
The single best predictor of whether a protocol will be exploited tomorrow is whether it’s been exploited yet. Smart-contract code that has held real money for two years across multiple market conditions is meaningfully safer than code that launched last month, even with identical audits.
Look at the launch date and the TVL history. A protocol that’s held $500M+ for 18 months has been attacked many times; the surviving code is well-tested. A protocol with 30 days of history at $50M TVL is, statistically, an open question.
Our protocols index sorts by current TVL but you can also infer age from when the protocol first appeared on DefiLlama: older protocols generally show up earlier in the catalog.
2. Who audited it, and when?
Open the protocol’s documentation and find their audits page. You’re looking for:
- Number of audits: one is below average, three or more is solid, but more isn’t always better.
- Names of the firms: Trail of Bits, OpenZeppelin, ConsenSys Diligence, Spearbit, Sigma Prime, Cantina, Halborn, ChainSecurity are the firms with strong track records.
- Date of the most recent audit: has the code changed substantially since? An old audit on outdated code provides limited assurance.
- Severity of findings: the audit report should be public; skim the executive summary for any “critical” or “high” findings and check whether they were resolved.
A protocol with one recent Trail of Bits audit and no findings above medium severity is in a much stronger position than one with five 2022 audits by firms you’ve never heard of.
3. What’s the TVL trend?
If the protocol has been losing TVL for the last 90 days while the broader market is flat or up, that’s a signal. People who use a protocol every day usually exit a few weeks before retail catches on: a depeg risk, a contract bug discovered in private, a competitor that just launched something better.
Look at the all-time TVL chart on the protocol page. Look for:
- Steady growth or holding steady: neutral or positive signal.
- Sharp drop in the last 30 days: warrants investigation; check the project’s Twitter and Discord for incidents.
- Slow decay over 6+ months: protocol is losing relevance; yields may stay attractive but the project may shut down farming incentives or sunset deprecated pools.
Our protocol pages show the TVL chart and the 7-day / 30-day percent change at the top. Bookmark a few protocols you’re using and check monthly.
4. How is governance structured?
Some protocols are controlled by a single multisig (a wallet requiring N-of-M signatures). Some are controlled by token holders via on-chain governance. Some are immutable: the contracts can never be changed.
Each model has tradeoffs:
- Single multisig (e.g., 3-of-5): fast to fix bugs, but vulnerable to coordinated key compromise or governance attacks. Acceptable for early-stage protocols; a red flag for protocols holding $1B+.
- DAO governance: slower but more robust against single points of failure. Quality of governance varies wildly; some DAOs are dominated by a few large token holders (“whale-controlled”).
- Immutable contracts: strongest security, but bugs cannot be fixed. Suitable for narrow, well-tested primitives like Uniswap V2 pools.
The protocol’s documentation should make this clear. If you can’t find it, that’s its own answer.
5. What’s the actual yield source?
We covered this in our yield-farming primer, but it’s worth repeating here as part of due diligence: open the pool’s APY breakdown and check what you’re actually being paid in.
- 80%+ base APY: yield comes from real economic activity (lending, trading fees). Sustainable.
- 80%+ reward APY: yield is newly minted tokens. Sustainable only as long as token price holds. Watch the unlocks schedule.
- Mixed: depends on the ratio. A 40/60 split is common and not necessarily bad.
If a protocol’s headline APY is 50% and it’s all reward APY, you’re being paid in tokens that are inflating. Your real yield depends entirely on whether the token holds value, which depends on whether new buyers continue to arrive.
6. Is there an oracle dependency?
Many DeFi protocols rely on price oracles to determine collateral values, liquidation thresholds, and reward distributions. If the oracle gets manipulated or returns bad data, the protocol can be drained even if its own code is bug-free.
The questions to ask:
- Does this protocol use Chainlink, Pyth, or its own oracle?
- If it uses its own oracle, is it backed by Uniswap V3 TWAP (reasonable) or by spot prices on a thin DEX (very risky)?
- Has the protocol been hit by an oracle attack before?
For lending protocols specifically, the oracle is often the weakest link. Aave, Compound, and Morpho use Chainlink and have layered safeguards. Smaller forks often have weaker oracle setups.
7. What does the team look like?
This is where it gets fuzzy. Some great protocols are anonymous (early Uniswap was). Some loudly-named teams have rugged. Heuristics:
- Public team with verifiable identities: adds accountability but doesn’t guarantee competence or honesty.
- Anonymous team with a multi-year track record: often fine for established protocols (Yearn, Curve).
- Anonymous team launching this month: much higher tail risk; only deposit what you’re prepared to lose.
Cross-reference: have core contributors written audit reports, EIPs, or papers under their real names? Are they on stage at conferences? An anonymous-but-traceable team (the people inside know each other’s identities; only the public face is anon) is very different from a fully anonymous startup.
Putting it together
We use a quick mental scorecard before any new protocol:
| Factor | Strong | Acceptable | Avoid |
|---|---|---|---|
| Age | 2+ years | 6-24 months | <6 months |
| Audits | 3+ recent, top firm | 1-2 recent | None or only old |
| TVL trend | Stable/up | Mild decline | Sharp drop |
| Governance | Mature DAO or immutable | Multisig 5+ signers | Single key |
| Yield source | Mostly base | Mixed | All reward |
| Oracle | Chainlink/Pyth | TWAP-backed | Spot-only |
| Team | Public, verifiable | Anon w/ track record | Brand-new anon |
If a protocol falls in “Avoid” on any single row, we don’t deposit. If it’s “Acceptable” on most and “Strong” on a few, we’ll consider it with a small position size. “Strong” across the board is rare (Aave, Lido, Curve, Compound, Maker, Uniswap, Rocket Pool) and worth paying attention to even when their APYs are unspectacular.
Browse our protocol catalog to start working through this checklist on whatever you’re considering.