Risk Taxonomy in DeFi Vaults: The 5 Classes

A DeFi vault doesn't have one risk: it has at least five, and each lives in a different layer of the system. When you deposit USDC into an ERC-4626 vault (the technical standard that turns a deposit into a fungible share, like a share in a fund), your money passes through a stack: the vault's own contract, the curator who decides the strategy, the oracle that prices the collateral, the liquidity of the underlying asset, and the concentration of the entire ecosystem in a few hands. Most guides — and most answers provided by an AI model — collapse all of that into a single phrase: "vaults have smart contract risk." It is true and it is useless, because it doesn't tell you where to look. This article breaks down the problem into five structurally different risk classes, assigns a specific analysis vector to each, compares where risk resides in three real architectures (Morpho Blue, Yearn v3, Aave), and closes with a ten-question checklist you can answer before depositing a single dollar.

What is an ERC-4626 vault and why did it become the standard?

A vault is a contract that receives an asset — say USDC — and puts it to work in a strategy: lending it, supplying it to a lending market, or rotating it between protocols. In exchange, you receive shares, fungible units representing your fraction of the pool: when the strategy yields a return, the value of each share rises; upon exit, you redeem your shares for the asset plus earnings. It follows the mechanics of a fund share: you don't own the assets directly, but a proportional part of a common pool.

ERC-4626 is the Ethereum standard, approved in 2022, which normalizes these mechanics with a common interface — deposit, mint, withdraw, redeem, totalAssets — so that any application can talk to any vault without custom code. According to Chainlink documentation on the standard, this allowed vaults to be composed like Lego pieces: a vault's share can be the collateral or the underlying asset of another.

This composability is the reason for its dominance and, simultaneously, for much of its risk. A deposit that seems simple may be stacked on top of three or four chained contracts. The surface is not a single contract; it is a stack. What follows is a map of that stack.

What is the difference between a base protocol and a curator in a modern vault?

The structural transformation of DeFi between 2022 and 2025 separated two roles that were previously fused within the same team. An academic paper from December 2025 on the institutionalization of risk curation in decentralized credit (arXiv 2512.11976) describes this two-layer architecture: on one side, the base protocol, which provides the immutable infrastructure — the logic for lending, liquidation, and accounting; on the other, the curator, an external manager who decides the risk parameters on top of that infrastructure.

The canonical example is Morpho Blue. The base protocol is minimalist and non-upgradable: it defines what a market is (a collateral-loan pair with its oracle and liquidation ratio) and little else. On top, curators — firms like Gauntlet or Steakhouse, or anyone with the expertise — build vaults that distribute capital across various markets and choose the parameters: which collateral to accept, at what LTV (loan-to-value, the maximum percentage you can borrow against your guarantee), which oracle to use, and what exposure caps to set. The curator does not custody your money, but they decide where it goes and under what rules.

This separation is the key to understanding risk: the base protocol can be flawless and still lose money due to a curator's decision, and vice versa. Treating the vault as a single black box erases exactly the distinction that matters most. To dive deeper into how to evaluate the robustness of a base protocol, there is a separate guide on how to analyze a DeFi protocol; here we focus on the full stack.

What are the five risk classes of a DeFi vault?

This is the central contribution of the article, and it is worth repeating the warning: the following five-class classification is a CleanSky analytical framework, not an industry-recognized standard. Its utility is practical: each class resides in a different layer, manifests differently, and requires a different analysis vector. Confusing them leads to auditing one layer while assuming a vault is safe when it fails at another.

Class 1 — Base Contract Risk

Where it resides: in the code of the vault and the underlying protocol. How it manifests: exploitable bug, compromised upgrade function, broken accounting logic. What to look for: audits (how many, by whom, on which version), whether the contract is immutable or upgradable, and who controls the upgrade keys.

Within this class is a subclass that almost no one models well: accounting or rounding risk. ERC-4626 calculates shares using integer division, and integer division always rounds down. The textbook case is the donation attack (or first-depositor inflation attack): the attacker is the first to deposit in a newly created vault, receives 1 share for 1 wei, and then directly transfers a massive amount of the asset to the contract — bypassing the deposit function so no new shares are minted. Now totalAssets reads, say, 10,000 USDC against only 1 share in circulation. The next victim deposits 5,000 USDC expecting half the pool; the formula shares = deposit × totalShares ÷ totalAssets gives them 5000 × 1 ÷ 10000 = 0 shares due to rounding down. Their 5,000 USDC effectively inflates the value of the attacker's single share. The standard defense, described by OpenZeppelin, is virtual shares offset (virtual shares and assets that ensure rounding never favors the attacker) or the dead shares pattern (burning the first shares upon deployment). A vault that incorporates neither carries this subclass of risk latently.

Class 2 — Curator Risk

Where it resides: in the manager's decisions, not the code. How it manifests: overly aggressive LTV, acceptance of illiquid or correlated collateral, overexposure to a single market, parameter changes without notice. What to look for: curator's track record, transparency of their decisions, existence of a timelock (mandatory delay) before parameter changes take effect, and whether capital allocation is concentrated in few markets.

This is the newest and least understood risk because it is human and discretionary, not deterministic. The code does what it says; the curator does what they decide. A thoroughly audited base protocol can lose money because its curator accepted a token that lost its peg as collateral or chose a cheap oracle. The question isn't "is the contract safe?" but "do I trust the judgment of the person setting the rules?".

Class 3 — Oracle Feed Risk

Where it resides: in the price source the vault uses to value collateral and trigger liquidations. How it manifests: manipulated price, stale feed (not updated frequently enough), or an oracle reporting the price of a derivative asset instead of the actual underlying. What to look for: who feeds the data, at what frequency and latency, whether it uses an average to resist spot manipulation, and what happens if the oracle stops responding.

The oracle is the point where the blockchain touches the outside world, making it one of the most exploited attack vectors in DeFi. A vault can have perfect code and a prudent curator, yet still liquidate solvent users — or fail to liquidate insolvent ones — because the price it reads is wrong. In architectures where the curator chooses the oracle per market, this class partially overlaps with Class 2: a poor oracle choice is, simultaneously, a curator failure.

Class 4 — Exit Liquidity Risk

Where it resides: between your intent to exit and the actual availability of the asset. How it manifests: withdrawal queues, cooldown periods, or a share trading below its theoretical value (vault token depeg) when everyone wants to exit at once. What to look for: whether withdrawals are instant or queued, how long the cooldown lasts, and what fraction of the vault's capital is actually liquid versus committed in positions that cannot be instantly unwound.

This risk is invisible during calm periods and brutal during a panic. While no one is withdrawing, a vault can promise immediate exit; in a bank run, if the underlying assets are lent out or trapped in illiquid positions, the exit becomes a queue and the share may trade at a discount on the secondary market. The yield offered by the vault rarely compensates for the difference between being able to exit today versus in two weeks.

Class 5 — Systemic Concentration Risk

Where it resides: outside the vault, in the structure of the ecosystem. How it manifests: a few curators manage the majority of the capital, such that the failure or poor decision of one propagates through shared markets and common collateral. What to look for: what share of total capital your vault's curator controls, and how many different vaults depend on the same oracle, the same collateral, or the same counterparty.

The natural metric to quantify this is the HHI index (Herfindahl-Hirschman, the sum of the squares of each actor's market share), the same one used by regulators to measure banking concentration. Applying it to curator concentration is a CleanSky proprietary analytical extension, not an industry standard. A low HHI indicates an ecosystem spread across many curators; a high HHI means a few hubs concentrate the capital and a single error has a systemic contagion radius. This class is not mitigated by choosing your vault well, because the risk isn't inside it: it's that your vault shares plumbing with many others.

Where does risk reside according to vault architecture?

The five classes do not carry the same weight in all architectures. The difference between a Morpho Blue vault, a Yearn v3 vault, and an Aave aToken isn't just branding: it's where each risk is housed. The following table maps this out. It is a qualitative design comparison, not a security ranking — no model is "safer" in the abstract; they represent different risk profiles.

The takeaway is direct. Morpho Blue pushes contract risk downward (minimal and immutable core) but concentrates it in the curator and the oracle: you trust the code less and the manager's judgment more. Yearn v3 spreads risk between the vault and its strategies, expanding the contract surface but diluting the curator factor. Aave concentrates almost everything into a single monolithic protocol governed by its DAO: fewer external moving parts, but the entire protocol is the counterparty. For a detailed contrast between these lending models, there is a specific analysis of Aave vs Compound vs Morpho, and an introduction to the most used base protocol in what is Aave.

How to read curator vault risk parameters before depositing?

In a curator-managed vault, the published parameters are the risk profile. Reading them doesn't require knowing Solidity; it requires knowing what each number signifies. These are the five that provide the most information per unit of effort:

• LTV / LLTV of each market: the liquidation ratio. A high LTV means more capital efficiency and less margin before a price drop liquidates positions. An aggressive LTV on volatile collateral is a curator red flag.
• Capital Allocation: what percentage of the vault is in each market. Having 80% in a single market turns that market's risk into the risk of the entire vault.
• Oracle per market: who provides the price and how often. A high-quality oracle on one collateral, a dubious one on the next: the vault is only as strong as its weakest feed.
• Change Timelock: how many hours the curator must wait between announcing a parameter change and applying it. Without a timelock, your risk profile can change while you sleep; with a timelock, you have a window to exit.
• Exposure Caps: the maximum capital limit per market or per collateral. Their absence allows the curator to concentrate without restraint.

Together, these five numbers tell almost the entire story of Classes 2 and 3. If the vault does not publish them legibly, that opacity is itself a data point about the curator.

What is systemic curator concentration risk and how is it measured?

The first four classes are evaluated vault by vault. The fifth is not, which is why it is the easiest to ignore. Concentration risk doesn't ask "is my vault good?" but "what happens when the neighbor fails?".

A useful mental image is cloud infrastructure. Thousands of independent applications seem to have nothing to do with each other, until a single region outage from one provider brings them all down at once because they share the same substrate underneath. In vaults, the shared substrate consists of dominant curators, common oracles, and repeated collateral. If three curators manage the majority of the capital and all accept the same trending token as collateral, that token's depeg doesn't affect one vault: it affects the ecosystem.

The arXiv paper on risk curation documents this two-layer architecture and the need to govern it. Applying this logic to concentration, the answer mirrors regulators' approach to banking: measure it (with the HHI), require circuit breakers (automatic halts that pause a market during anomalous movements), and penalize opacity. For the individual depositor, the practical conclusion is uncomfortable but clear: diversifying across vaults does not eliminate this class if all those vaults depend on the same hub. True diversification is across different curators, oracles, and collateral, not different vault names.

How do real exploits fit into this taxonomy?

The value of a framework is that it organizes incidents instead of treating them as isolated events. Almost every public vault failure falls into one or more of the five classes:

The accounting subclass has documented precedents from before the rise of curators: the ecosystem saw first-depositor exploits in small vaults as early as 2023, which prompted OpenZeppelin to standardize the virtual shares defense that is now taken for granted. 2023 was also the year of several of the largest failures in on-chain credit history — including Euler Finance (March 2023, approximately $197 million) — which served as a reminder that accounting logic and control over sensitive functions are as critical as the oracle. For an aggregate view of recent incidents and their quantified impact, the Q1 2026 DeFi Security Report provides context figures, and the guide on whether DeFi is safe places these risks within the general picture for newcomers.

What ten questions should you answer before depositing in a vault?

This checklist translates the five classes into verifiable questions. It doesn't require code: every answer comes from the vault's documentation, its parameter dashboard, or a block explorer. If three or more remain unanswered, the opacity is your answer.

1. Does the vault have virtual shares or dead shares? Without a defense against rounding, the accounting subclass is latent (Class 1).
2. How many audits does it have and on which contract version? A two-year-old audit on code that has since been updated does not protect the current version (Class 1).
3. Is the contract immutable or upgradable, and who controls the keys? An upgrade key in few hands is a trust-based backdoor (Class 1).
4. Who is the curator and what is their track record? The name behind the decisions matters more than the base protocol's logo (Class 2).
5. Is there a timelock before parameter changes take effect? Without it, your risk profile can change without notice (Class 2).
6. How is capital distributed across markets? Internal concentration turns a single market's risk into the risk of the entire vault (Class 2).
7. What oracle does each market use and how often is it updated? The weakest feed defines the fragility of the whole (Class 3).
8. Is withdrawal instant or queued, and how long is the cooldown? Exit liquidity is only noticed when it's too late (Class 4).
9. What fraction of capital is actually liquid versus committed? A vault with everything lent out cannot pay for a bank run (Class 4).
10. What share of total capital does this curator control and how many vaults share their plumbing? Real diversification is across curators, oracles, and collateral, not names (Class 5).

No single answer makes a vault safe; together, they turn an act of faith into an informed decision. The advertised yield is the easy part to read; these ten questions are the part the yield doesn't tell you. For the reader still asking the most basic questions, the guide on whether you can lose money in DeFi provides the necessary context prior to this checklist.

Sources and links: Chainlink — ERC-4626 Tokenized Vaults · arXiv 2512.11976 — Risk Curation in Decentralized Credit · OpenZeppelin — Defense against inflation attacks · RockawayX — DeFi Vaults Explained 2026 · Morpho Docs — The Curator Role