The 12-Point Protocol Vetting Checklist We Use Before Deploying Any Capital

The single most important skill in stablecoin yield is not finding the highest APY. It's avoiding the protocols that blow up.

In DeFi, a 15% yield on a protocol you haven't properly vetted isn't a return — it's a risk premium you're accepting without pricing it. The protocols that offer dramatically above-market yields almost always carry dramatically above-market risk.

Here is the exact framework we use before deploying capital or recommending a strategy to clients. We've refined it over years of managing institutional capital in DeFi markets.

---

The 12-Point Checklist

1. Age and Track Record

Minimum: 18 months of live deployment without a major exploit.

A protocol that launched last month might have a beautifully written whitepaper and a 40% APY. It also has no track record under stress. Markets have a way of finding edge cases that auditors miss. Time in production — across bull markets, bear markets, and black swan events — is the most honest signal of protocol robustness.

We do not deploy into protocols under 18 months old. The yield premium rarely compensates for the additional risk.

2. Independent Security Audits

Minimum: Two audits from reputable firms, with all critical and high findings resolved.

Reputable audit firms include Trail of Bits, OpenZeppelin, Certora, ChainSecurity, Halborn, and Spearbit. Be skeptical of audits from unknown firms — a badge saying "audited" without a named, credible auditor is close to meaningless.

Crucially, read the audit report, not just the summary. Look at what was flagged, at what severity, and how it was resolved. An audit that found only informational issues is very different from one that found critical vulnerabilities that were subsequently patched.

3. Total Value Locked (TVL) and Trend

Minimum: $500M TVL. Look for stability or growth over 90 days.

TVL is a rough proxy for market trust. Large, stable TVL means sophisticated capital (including institutional capital) has been comfortable sitting in the protocol over time. It doesn't guarantee safety, but it signals conviction from informed participants.

Rapidly declining TVL is a warning sign — it often precedes exploits, as informed insiders exit before public information becomes available.

4. Smart Contract Upgradeability

Question: Can the protocol's contracts be upgraded without user consent?

Upgradeable contracts introduce governance risk. If a protocol's admin multisig can unilaterally upgrade the code, that's a trust assumption on the people behind the keys. Immutable contracts are preferable from a pure security standpoint. If contracts are upgradeable, check the governance structure — a properly designed timelock (minimum 48 hours, ideally 7 days) gives users time to exit before changes take effect.

5. Oracle Design

Question: How does the protocol price assets? Who provides the oracle?

Oracles — the data feeds that tell a protocol the price of an asset — have been the attack vector in dozens of major DeFi exploits. Flash loan attacks frequently manipulate price oracles to drain protocols.

Acceptable oracle designs: Chainlink price feeds, Uniswap TWAP (time-weighted average price). Single-block spot price oracles are a red flag.

6. Liquidation Mechanism

Question: Does the protocol have a tested, functioning liquidation system?

For lending protocols, liquidations are the mechanism that protects lenders when borrowers become undercollateralised. If liquidations fail — because the liquidation incentive is too low, or because the mechanism is too slow — bad debt accrues and lenders take losses.

Look for protocols with clearly documented liquidation parameters, competitive liquidation incentives (typically 5–15%), and a track record of successful liquidations during volatile market conditions.

7. Insurance Coverage

Question: Is the protocol covered by DeFi insurance (Nexus Mutual, InsurAce)?

Protocol cover is available from DeFi-native insurance providers for most major protocols. Cover prices are market-determined — expensive cover signals that the market prices the risk as high. We factor cover availability and cost into yield calculations.

For larger positions, we recommend purchasing protocol cover. The cost is typically 2–4% of notional, which meaningfully reduces net yield but also meaningfully reduces tail risk.

8. Governance Structure and Multisig Configuration

Question: Who controls the protocol? How many signers? What's the threshold?

Centralised governance is a risk. A protocol controlled by a 2-of-3 multisig held by three people in the same founding team is not decentralised — it's a single point of failure with extra steps.

Acceptable governance: a 4-of-7 or 5-of-9 multisig with publicly known, reputable signers; or full on-chain governance with meaningful token distribution and a robust timelock.

9. Treasury and Protocol Solvency

Question: Does the protocol have sufficient reserves to cover unexpected losses?

Many protocols maintain a Safety Module or protocol treasury to backstop bad debt. Check the size of these reserves relative to the TVL. A protocol with $1B TVL and a $5M safety fund is operating with very thin margins. Aave's Safety Module, by comparison, is substantial relative to its TVL.

10. Stablecoin Peg Stability (for stablecoin-specific strategies)

Question: Is the stablecoin you're depositing backed by verifiable, liquid reserves?

Apply this specifically to the stablecoin itself, not the protocol:

• USDC: US Treasuries and cash, monthly third-party attestations, regulated by Circle
• USDT: Broader reserve mix, quarterly attestations by BDO Italia
• Algorithmic stablecoins: Not suitable for capital preservation strategies

Never deploy capital into an algorithmic stablecoin yield strategy regardless of the offered APY.

11. Chain and Bridge Risk

Question: Are you deploying on a layer 2 or a bridged network? What's the bridge security model?

Cross-chain bridges have been responsible for some of the largest DeFi exploits in history (Ronin, Nomad, Wormhole). If your strategy requires bridging assets from Ethereum mainnet to another chain, you're taking on bridge risk in addition to protocol risk.

Acceptable: native assets on their native chain (USDC on Ethereum mainnet), or established bridging with a long track record (native USDC on Base via Circle's cross-chain transfer protocol).

High risk: third-party bridges with limited track record or centralised custody.

12. Yield Source Sustainability

Question: Where does the yield actually come from? Is it sustainable?

This is the most underappreciated question in DeFi yield.

• Real yield: Interest paid by borrowers, liquidity fees from traders. Sustainable — reflects genuine economic demand.
• Token emissions: Protocol distributes its own governance token as an incentive. Not sustainable — the yield depends on the token's value, which typically declines as more tokens are distributed.

High APYs driven primarily by token emissions should be treated with significant scepticism. The yield model should make sense without the emissions component.

---

How to Apply the Checklist

This framework is designed to eliminate the bottom 80% of protocols by risk. It won't find you the absolute highest yield — it will find you a high yield you can sleep at night on.

After running any protocol through this checklist, we assign a traffic light:

• Green: All 12 pass. Deploy up to 25% of allocated capital.
• Amber: 10–11 pass with minor concerns. Deploy up to 10% with tighter monitoring.
• Red: Fewer than 10, or any critical failure (no reputable audit, pure algorithmic stablecoin, centralised control). Do not deploy.

The protocols we include in our live yield curriculum — Aave, Compound, Curve, Convex, and a select few others — have all passed this framework. That's why they're there.

---

Jordan Alexander is co-founder of Stablecoin Coach and founder of Agrippa Capital, a systematic macro and alternative investment hedge fund operating since 2016.

Nothing in this article constitutes financial advice. DeFi involves risk. Always seek independent legal and tax advice for your jurisdiction.