A DeFi due diligence framework is a structured process for assessing a protocol's viability and risk profile. Unlike traditional finance, DeFi due diligence must account for smart contract risk, governance centralization, and economic sustainability. The goal is to move beyond hype and marketing to analyze the fundamental pillars that determine a protocol's long-term success and safety. This process is essential for developers integrating protocols, liquidity providers, and institutional allocators.
LABS
Guides
How to Establish a DeFi Protocol Due Diligence Framework
This guide provides a structured, developer-focused methodology for evaluating DeFi protocols. It covers technical audits, economic analysis, and operational review to create a repeatable scoring system.
Chainscore © 2026
introduction
SECURITY PRIMER
How to Establish a DeFi Protocol Due Diligence Framework
A systematic framework for evaluating the security, sustainability, and risks of decentralized finance protocols before committing capital.
The first pillar is technical security. This involves auditing the protocol's core smart contracts. Look for audits from reputable firms like Trail of Bits, OpenZeppelin, or Quantstamp. However, an audit is not a guarantee; review the audit report's scope, findings, and whether critical issues were addressed. Check if the code is open-source and verifiable on-chain. Use tools like Etherscan's contract verification to confirm the deployed code matches the public repository. Monitor for bug bounty programs on platforms like Immunefi, which indicate a proactive security posture.
The second pillar is economic and token design. Analyze the protocol's tokenomics: its emission schedule, inflation rate, and value accrual mechanisms. Ask: Does the token have utility beyond governance? How does the protocol generate revenue, and is it sustainable? For lending protocols like Aave, assess reserve factors and interest rate models. For DEXs like Uniswap or Curve, examine fee structures and liquidity incentives. A common red flag is a token emission schedule that heavily rewards early insiders or creates excessive sell pressure on the market.
The third pillar is team and governance. Research the founding team's background and anonymity. While anonymous teams have built successful projects (e.g., SushiSwap), it increases counterparty risk. Evaluate the decentralization of governance: who controls the multi-sig wallets, what are the proposal and voting thresholds, and is there a clear treasury management plan? Review past governance proposals to see how active and effective the community is. Centralized upgradeability, often via a proxy admin key, is a critical central point of failure.
Finally, integrate these checks into a repeatable workflow. Start with on-chain analytics using Dune Analytics or DeFiLlama to review Total Value Locked (TVL) trends, unique user growth, and revenue. Then, perform contract review using a block explorer. Create a checklist covering security audits, admin key risks, token lockups, and dependency risks (e.g., reliance on a specific oracle like Chainlink). Documenting this process ensures consistent evaluation and helps identify red flags before they lead to loss, as seen in historical exploits of protocols like Wonderland or Fei Protocol.
prerequisites
PREREQUISITES AND TOOLS
How to Establish a DeFi Protocol Due Diligence Framework
A systematic framework is essential for evaluating the security, sustainability, and risks of any DeFi protocol before committing capital or integration efforts.
Effective due diligence begins with a structured checklist. Your framework should systematically assess a protocol across several core pillars: team and governance, code and security, economic design, and market and liquidity. For each pillar, define specific, verifiable criteria. For team assessment, this means reviewing on-chain governance proposals, verifying founder identities via platforms like LinkedIn, and checking for past project history. For code, it involves examining audit reports, commit history on GitHub, and the deployment addresses of key contracts. Tools like Nansen for wallet analysis, DeFiLlama for TVL and revenue metrics, and Tenderly for simulating contract interactions are foundational for this process.
Technical security analysis is non-negotiable. Start by verifying all smart contract addresses from the protocol's official documentation or repositories like GitHub. Use a block explorer like Etherscan to confirm the contract is verified and examine recent transactions for anomalies. Cross-reference all audit reports from firms like Trail of Bits, OpenZeppelin, or CertiK, but don't treat them as a guarantee; review the audit scope, date, and whether findings were addressed. For a deeper dive, use static analysis tools like Slither or MythX on the public code. Monitor for bug bounties on platforms like Immunefi, as an active bounty program signals a commitment to ongoing security.
The final pillar evaluates the protocol's economic sustainability and tokenomics. Analyze the fee structure, revenue distribution, and incentive alignment between stakeholders. Use Token Terminal or DeFiLlama to examine real revenue, protocol-owned value (POV), and treasury health. Scrutinize the token emission schedule, vesting periods for team and investors, and the inflation rate. A critical check is assessing the dependency on liquidity mining incentives; if a protocol's TVL collapses when emissions stop, its economic model is likely fragile. This framework transforms subjective judgment into a repeatable, evidence-based process for mitigating risk in the volatile DeFi landscape.
key-concepts
FRAMEWORK
Core Components of Due Diligence
A systematic approach to evaluating DeFi protocols. This framework breaks down the process into actionable components, from smart contract security to economic sustainability.
technical-assessment
DUE DILIGENCE FRAMEWORK
Step 1: Technical Security Assessment
A structured methodology for evaluating the core technical security of a DeFi protocol before deployment or investment.
A technical security assessment is the foundational step in DeFi due diligence, moving beyond marketing claims to analyze the protocol's actual code and architecture. This process involves systematically examining the smart contracts, oracles, and governance mechanisms that govern user funds. The goal is to identify vulnerabilities, understand risk vectors, and assess the team's security maturity. Unlike a simple audit report review, this framework provides a repeatable process for evaluating any protocol, from a new AMM to a complex lending platform.
Begin by mapping the protocol's technical stack and dependencies. Identify all core smart contracts (e.g., pools, vaults, controllers) and their interactions. Crucially, document external dependencies like price oracles (Chainlink, Pyth), cross-chain bridges (LayerZero, Wormhole), and any admin or upgradeability contracts. Use tools like Etherscan's Contract Reader or Tenderly to visualize contract relationships. This map reveals the attack surface and helps you prioritize which components require the deepest scrutiny, as a failure in a single dependency can cascade through the entire system.
Next, conduct a smart contract code review. Start by verifying that the deployed contract bytecode matches the publicly available source code on GitHub or a platform like Sourcify. Examine the audit history: who performed the audits (e.g., Trail of Bits, OpenZeppelin), when they were conducted, and the severity of findings. Critically, review the protocol's public issue tracker to see how audit findings were addressed. Look for patterns of centralization risks, such as excessive admin privileges, timelock implementations, and multi-sig configurations. A lack of time-locked, multi-signature controls for privileged functions is a major red flag.
Finally, analyze the protocol's economic and incentive security. This involves stress-testing the protocol's logic under edge cases. For lending protocols, examine liquidation mechanisms and collateral factors. For AMMs, review concentrated liquidity math and impermanent loss calculations. Use simulation tools like Gauntlet or Chaos Labs reports to understand how the system behaves during market volatility or a flash crash. Assess the treasury management and emergency shutdown procedures. A robust protocol will have clear, tested processes for pausing operations, handling insolvencies, and executing a graceful shutdown if necessary, all encoded in its smart contracts.
economic-analysis
DUE DILIGENCE FRAMEWORK
Step 2: Economic and Tokenomics Analysis
This step focuses on analyzing the financial incentives and long-term viability of a DeFi protocol by examining its token design, revenue flows, and governance mechanisms.
A protocol's tokenomics defines its economic engine. Your analysis must start by mapping the token's utility. Is it a governance token (like UNI or COMP), a fee-sharing token (like SUSHI), a staking asset for security (like SOL validators), or a combination? Scrutinize the token distribution: what percentage is allocated to the team, investors, community treasury, and ecosystem incentives? A high concentration in early backers (e.g., >40% to insiders) can signal future sell pressure and centralization risk. Use on-chain explorers and the project's documentation to verify these allocations.
Next, analyze the value accrual mechanism. How does the protocol generate revenue (e.g., swap fees, lending spreads, liquidation penalties) and how is that value directed to token holders? Models include direct fee distribution, token buybacks and burns, or staking rewards sourced from treasury yields. For example, GMX distributes 30% of platform fees to stakers of its GMX token. Assess if the model is sustainable; rewards funded solely by token inflation are a red flag. Calculate key metrics like the Protocol Owned Liquidity (POL) ratio and the runway of the community treasury.
Examine the incentive alignment and potential for death spirals. Many protocols use token emissions to bootstrap liquidity. Analyze if these incentives are temporary or perpetual. A common failure mode is a farm-and-dump cycle, where users extract liquidity provider (LP) rewards and immediately sell the token, depressing its price. Review the unlock schedules for team and investor tokens using tools like Token Unlocks or CryptoRank. A large, cliff-based unlock event can drastically alter token supply and price dynamics.
Finally, evaluate the governance structure and treasury management. Who controls the treasury's multisig? What is the process for spending funds? Active, on-chain governance with high participation (like Compound) is more resilient than a team-controlled multisig. Review past governance proposals to see how funds are allocated—are they for long-term development or short-term liquidity bribes? A robust due diligence framework treats tokenomics not as a speculative narrative, but as a verifiable system of incentives that must remain balanced for long-term survival.
operational-review
OPERATIONAL AND GOVERNANCE REVIEW
How to Establish a DeFi Protocol Due Diligence Framework
A systematic framework for evaluating the operational maturity and governance structure of DeFi protocols, moving beyond smart contract audits.
A robust due diligence framework extends far beyond code audits to assess a protocol's operational resilience and governance health. This involves evaluating the core team's experience, the transparency of their communications, and the maturity of their operational processes. Key areas include incident response plans, upgrade procedures, and the security of off-chain infrastructure like oracles and front-ends. For example, protocols like Aave and Compound publish detailed documentation on their governance forums and maintain public incident post-mortems, setting a standard for operational transparency.
Governance analysis is critical for assessing long-term protocol alignment and decentralization. Examine the governance token distribution—is it overly concentrated? Review the on-chain governance mechanism itself: is it a simple token vote, a more complex system like Optimism's Citizens' House, or a multisig-controlled upgrade? Analyze historical governance proposals to see if they are substantive or merely ceremonial. A healthy governance system should have active, informed participation, clear delegation options, and safeguards against voter apathy or manipulation.
Financial and incentive sustainability forms another pillar. Scrutinize the protocol's treasury management: its size, diversification, and runway. Understand the emission schedules and inflationary pressures of the native token. Evaluate whether the protocol's fee structure and revenue generation are sustainable long-term or reliant on unsustainable token incentives. Protocols should have a clear economic model that explains how value accrues to stakeholders and how the system remains solvent during periods of low activity or market stress.
Finally, establish a continuous monitoring process. Due diligence is not a one-time event. Set up alerts for on-chain governance proposals, major protocol upgrades, and security incidents. Monitor social channels and developer activity on GitHub for signs of stagnation or community discontent. Tools like DeepDAO for governance analytics and DefiLlama for treasury and TVL tracking are invaluable for maintaining an ongoing assessment. This proactive stance allows you to identify emerging risks before they materialize into losses.
RISK ASSESSMENT FRAMEWORK
Protocol Risk Scoring Matrix
A quantitative framework for scoring key risk vectors in DeFi protocols. Scores are weighted and aggregated to produce a final risk rating.
| Risk Vector | Low Risk (1) | Medium Risk (3) | High Risk (5) |
|---|---|---|---|
Smart Contract Audit Status | Multiple audits by top-tier firms (e.g., Trail of Bits, OpenZeppelin), no critical issues open | Single audit, minor or medium issues unresolved | No audit, unaudited fork, or critical vulnerabilities present |
Centralization Risk (Admin Keys) | Fully immutable or timelock > 30 days, multi-sig with 5+ of 7 signers | Timelock 7-30 days, multi-sig with 3 of 5 signers | EOA admin control, no timelock, or single-point failure |
Economic Security (TVL / Attack Cost) | TVL > $1B or attack cost > $100M | TVL $100M - $1B or attack cost $10M - $100M | TVL < $100M or attack cost < $10M |
Team Doxxing & Reputation | Public, known team with verifiable track record (e.g., previous protocol success) | Partially doxxed (e.g., LinkedIn profiles), some public history | Fully anonymous, no verifiable prior work |
Code Change Frequency & Review | All changes via on-chain governance, extensive public peer review | Regular updates via multi-sig, some public discussion | Frequent, arbitrary upgrades by a single entity |
Dependency Risk (Oracle / Bridge) | Uses Chainlink or other decentralized oracle with fallback; native bridge | Uses a single decentralized oracle; reputable third-party bridge | Relies on centralized oracle or unaudited/insecure bridge |
Liquidity Depth & Concentration | Deep liquidity across many pools; top 10 LPs hold < 20% of supply | Moderate liquidity; top 10 LPs hold 20-40% of supply | Shallow liquidity; top 10 LPs hold > 40% of supply |
PRACTICAL APPLICATIONS
Framework Implementation Examples
Manual Assessment Workflow
Start with a structured checklist to ensure consistency across protocol reviews. For example, when evaluating a new lending protocol like Aave V3, your due diligence should systematically cover:
- Smart Contract Risk: Verify the audit history. Check if the code has been reviewed by firms like OpenZeppelin or Trail of Bits, and if findings are publicly disclosed and addressed.
- Economic Security: Analyze the protocol's Total Value Locked (TVL) growth, concentration of collateral assets, and the health of its liquidity pools on Ethereum mainnet and supported Layer 2s.
- Governance & Team: Review the on-chain governance process, token distribution, and the public activity and background of core contributors.
- Key Metrics: Track historical data for metrics like utilization rates, bad debt, and liquidation efficiency using platforms like DeFi Llama and Dune Analytics.
This manual process creates a repeatable framework for scoring and comparing protocols.
resource-links
DEFI RISK ANALYSIS
Essential Due Diligence Resources
A practical set of resources and evaluation areas for building a repeatable DeFi protocol due diligence framework. Each card maps to a concrete step developers and analysts can apply when assessing protocol risk, design quality, and operational maturity.
FOR DEVELOPERS AND RESEARCHERS
DeFi Due Diligence Frequently Asked Questions
Common questions on evaluating smart contract security, economic models, and operational risks in decentralized finance protocols.
The core smart contract logic handling user funds is the most critical audit target. This includes functions for deposits, withdrawals, swaps, and loan liquidations. A bug here can lead to direct, irreversible loss. For example, the 2022 Nomad Bridge hack exploited a single initialization error, resulting in a $190M loss. Always prioritize auditing:
- Asset custody and transfer functions
- Oracle price feed integrations (e.g., Chainlink)
- Access control and admin key management
- Upgrade mechanisms for proxy contracts Secondary concerns include the front-end UI and peripheral contracts, though they can still pose significant risks.
conclusion
IMPLEMENTATION
Conclusion and Next Steps
A robust due diligence framework is not a one-time checklist but a continuous, structured process. This guide has outlined the core pillars—team, technology, tokenomics, and financials—to systematically evaluate DeFi protocols.
To operationalize this framework, begin by creating a standardized due diligence template. This should be a living document, such as a Notion page or spreadsheet, with dedicated sections for each assessment pillar. For each new protocol you analyze, populate this template with your findings. This creates a searchable, comparable knowledge base over time, allowing you to track protocol evolution and spot industry-wide trends. Tools like DeFi Llama for TVL and chain data, Dune Analytics for custom dashboards, and Tenderly for simulating contract interactions are essential for populating the technical and financial sections with hard data.
Your next step is to establish a review cadence. Initial due diligence is intensive, but protocols evolve. Schedule quarterly or event-driven reviews (e.g., post-major upgrade or governance vote). Re-audit the smart contract addresses if new ones have been deployed, and reassess treasury management and incentive alignment. This proactive monitoring helps you identify protocol risk drift early, such as a declining proportion of protocol-owned liquidity or changes in the core team's multi-sig signers.
Finally, integrate your findings into a clear risk-rating system. Assign qualitative scores (e.g., Low, Medium, High) or a simple numerical grade to each pillar. This forces objective comparison and helps in portfolio construction and allocation decisions. Remember, the goal isn't to find "risk-free" protocols—they don't exist—but to understand and appropriately price the risks you are taking. Your framework should help you answer: Is the potential return commensurate with the identified technical, economic, and governance risks?
For deeper exploration, consider these advanced resources: study real-world post-mortems from Rekt.news, analyze governance proposals on Snapshot or the protocol's forum to understand community dynamics, and set up on-chain alerts for the protocol's key contracts using a service like Forta. The most effective due diligence combines your structured framework with continuous learning from both the successes and failures of the broader DeFi ecosystem.