What are the types of risk in crypto?

The main types of crypto risk are: sovereignty risk (tokens being frozen), inflation risk (supply dilution), liquidity risk (inability to sell), smart contract risk (code bugs), volatility risk (price swings), peg risk (stablecoins losing their $1 value), counterparty risk (trusting third parties), complexity risk (multiple technology layers), mobility risk (high transaction costs), and concentration risk (over-exposure to one asset).

What is sovereignty risk in crypto?

Sovereignty risk is the risk that an external entity can freeze, seize, or blacklist your tokens. Some tokens like USDC and USDT can be frozen by their issuers. Decentralized tokens like BTC and ETH cannot be frozen by anyone. This is a fundamental difference that affects how much control you truly have over your assets.

What is smart contract risk?

Smart contract risk is the risk that the code holding your funds has a bug, vulnerability, or backdoor that could be exploited. Even well-audited protocols have been hacked. Hundreds of millions of dollars have been lost to smart contract exploits. Audits, track record, and bug bounties reduce but don't eliminate this risk.

Depeg risk is the risk that a stablecoin loses its target value (usually $1). This can happen due to loss of confidence in reserves, collateral crashes, liquidity crises, or algorithmic failure. The worst example was UST (Terra) in 2022, which collapsed from $1 to near zero, destroying approximately $40 billion in value.

What is counterparty risk in crypto?

Counterparty risk is the risk that the other party in an arrangement fails to deliver. In crypto, this exists with centralized stablecoin issuers (trusting they hold reserves), wrapped token custodians (trusting they hold the original tokens), bridges (trusting the lock-and-mint mechanism), and RWA issuers (trusting they hold real-world assets).

What is oracle risk in DeFi?

Oracle risk is the risk that wrong or manipulated price data causes your DeFi position to be incorrectly liquidated or exploited. DeFi protocols rely on oracles (like Chainlink or Pyth) for price feeds. If an oracle reports a wrong price — due to manipulation, stale data, or outages — lending protocols may trigger false liquidations, and attackers can exploit the wrong data to drain funds. Oracle manipulation is one of the most common attack vectors in DeFi.

Understanding Risk in Crypto — Oracle, Peg, Counterparty, Sovereignty, Smart Contracts

Risk isn't a single number

Most financial apps give you a single risk score: "low," "medium," or "high." But that's like saying a city's weather is "bad" without telling you if it's raining, snowing, windy, or 40°C. Knowing the type of risk is what lets you make actual decisions.

In crypto, there are several independent types of risk. A token can be very safe in one dimension and very risky in another. Understanding each one helps you see the full picture.

Sovereignty risk: can someone freeze your tokens?

Not all crypto is created equal when it comes to control. Some tokens have admin keys — meaning a company, a government, or a group of people can freeze, seize, or blacklist specific addresses.

Tokens that can be frozen

USDT (Tether) — Tether has frozen hundreds of addresses, making those tokens permanently unusable. They do this in response to law enforcement requests, sanctions compliance, or suspected illegal activity.
USDC (Circle) — Circle can also freeze specific addresses. They froze addresses associated with Tornado Cash after US Treasury sanctions.
Any token with admin functions — Many tokens have a "pause" or "blacklist" function in their smart contract. The admin (usually the team that created the token) can activate it.

Tokens that cannot be frozen

BTC (Bitcoin) — No one can freeze Bitcoin. There is no admin key, no company, no override. If you hold BTC in your own wallet, no entity on earth can prevent you from using it.
ETH (Ethereum) — Same as Bitcoin. The network itself has no freeze function.
DAI — Governed by smart contracts and token holder votes. No single party can freeze it. However, DAI is partially backed by USDC, which can be frozen — so there's indirect sovereignty risk.
BOLD (Liquity V2) — Immutable smart contracts with no admin keys at all. The code is deployed and nobody can change it.

Why it matters: If you hold $100,000 in USDT and your address gets blacklisted (even by mistake), those tokens are gone. There's no appeal process in the smart contract — only through the issuing company. With BTC or ETH, this cannot happen.

Inflation risk: can your tokens be diluted?

Some tokens have a fixed supply — there will only ever be a certain number of them. Others can be created indefinitely, diluting the value of existing tokens.

Fixed or deflationary supply

BTC — Hard cap of 21 million coins. Ever. The last Bitcoin will be mined around 2140. No one can change this.
ETH — No hard cap, but since the "Merge" in 2022, ETH is often deflationary — more ETH is burned in transaction fees than is created as rewards, so the total supply actually shrinks over time.

Inflationary tokens

Many governance and reward tokens — Protocols often create new tokens to incentivize users (yield farming rewards, staking rewards, airdrops). This constant emission dilutes existing holders. A token offering 100% APY in farming rewards is effectively printing tokens — and as more tokens exist, each one is worth less.
Network tokens with uncapped emission — Some blockchains continuously issue new tokens to pay validators. If demand doesn't grow faster than supply, the price trends downward over time.
Stablecoins — USDC and USDT can be minted in unlimited quantities, but they're supposed to be backed 1:1 by real reserves. The inflation risk here is different — it's tied to trust in the reserves.

Why it matters: If you earn 50% APY in a token that's inflating at 60% per year, you're actually losing value. The APY looks great, but the token price drops faster than your balance grows. Always ask: where does the yield come from?

Liquidity risk: can you actually sell?

Liquidity is how easily you can convert an asset to cash (or stablecoins) without significantly affecting the price. High liquidity means you can sell quickly at the market price. Low liquidity means you might have to wait, accept a worse price, or not be able to sell at all.

High liquidity

ETH, BTC, SOL — Can be sold for billions of dollars per day across many exchanges. Your trade barely moves the price.
USDC, USDT — Highly liquid stablecoins with deep trading pairs on every major exchange.

Low liquidity

Small-cap tokens — A token with $50,000 of daily trading volume means selling $10,000 worth could drop the price 20% or more.
NFTs — Each one is unique. Finding a buyer at your asking price could take days, weeks, or never happen.
Locked positions — Tokens locked in staking, vesting schedules, or governance locks (veTokens) literally cannot be sold until the lock period ends.
LP tokens — While redeemable, removing large amounts of liquidity can cause slippage and affect the underlying pool.

Why it matters: You might see a large portfolio value on paper, but if most of it is in illiquid assets, you can't actually access that value when you need it. In a market crash, illiquid assets drop faster because there are fewer buyers.

Smart contract risk: can the code fail?

When you deposit crypto into a DeFi service, your tokens are held by a smart contract — a computer program on the blockchain. If that program has a bug, a vulnerability, or a deliberate backdoor, your funds can be stolen or lost.

What can go wrong

Code bugs — Programming errors that allow attackers to drain funds. Even well-audited protocols have been exploited. Hundreds of millions of dollars have been lost this way.
Oracle manipulation — Many DeFi services rely on price feeds (oracles) to determine token values. If an attacker manipulates the price feed, they can trick the contract into giving them more than they should get.
Admin key compromise — Some contracts have an admin who can upgrade or modify the code. If the admin's private key is stolen, an attacker can change the contract to steal funds.
Reentrancy attacks — A specific type of bug where a contract can be tricked into sending funds multiple times in a single transaction.
Logic errors — The code works as written, but the logic is flawed. Rare conditions can lead to unexpected behavior.

What reduces the risk (but doesn't eliminate it)

Audits — Independent security firms review the code. Multiple audits are better than one. But audits are not guarantees — they find some bugs, not all.
Track record — A contract that has held billions of dollars for years has been battle-tested by real attackers. Time is the best audit.
Bug bounties — Some protocols pay hackers who find bugs to report them instead of exploiting them. This incentivizes responsible disclosure.
Immutable contracts — Contracts that cannot be modified after deployment (like Liquity V2) eliminate admin key risk, but also mean bugs can never be fixed.
Insurance — Services like Nexus Mutual offer coverage against smart contract failures, but coverage is limited, not automatic, and requires a claim process.

Why it matters: Unlike a bank where your deposits are insured, there is no safety net in DeFi. If a smart contract is exploited, you lose whatever you deposited in it. Diversifying across multiple services limits your exposure to any single contract failure.

Volatility risk: how much can the price swing?

Volatility measures how much and how fast a token's price changes. High volatility means big swings — up and down — in short periods.

Very low volatility: USDC, USDT — designed to stay at $1
Low volatility: Tokenized Treasuries (OUSG) — backed by stable government bonds
Medium volatility: BTC, ETH — established cryptocurrencies with large markets
High volatility: SOL, ARB, OP — smaller but established tokens
Very high volatility: Memecoins, new tokens — can move 50%+ in a single day

Volatility isn't inherently bad — it's what creates the opportunity for gains. But if your savings are in a highly volatile token and you need the money at a specific time, a price drop at the wrong moment can be devastating.

Peg risk: can a "stable" token lose its value?

Some tokens are designed to track a fixed price — usually $1 USD. This is called a peg. When the price drifts away from that target, it's called a depeg. And when a depeg happens, what was supposed to be the safest part of your portfolio can become the most dangerous.

What keeps a peg in place

Different stablecoins maintain their peg in different ways, and each mechanism has different failure modes:

Fiat-backed (USDC, USDT) — The issuer holds real dollars or equivalents in reserve. You trust the company to actually hold those reserves and to redeem tokens at $1. The peg holds as long as that trust holds.
Crypto-backed (DAI, BOLD) — Smart contracts hold crypto as collateral, typically more than the value of stablecoins issued (over-collateralization). The peg is maintained by automated liquidations: if collateral drops too much, the system sells it to cover the stablecoins.
Yield-bearing (sDAI, sUSDe, USDY) — These are wrappers around other stablecoins or assets. Their peg depends on the underlying asset's peg plus the smart contract working correctly.
Algorithmic — These use supply-and-demand mechanisms to maintain the peg, without full collateral backing. This approach has a catastrophic track record.

How depegs happen

Loss of confidence

If people doubt the reserves exist (as happened with Tether controversies), selling pressure pushes the price below $1. Even if the reserves are fine, the perception of a problem can cause a real depeg.

Collateral crash

For crypto-backed stablecoins, if collateral prices drop faster than liquidations can execute, the system becomes undercollateralized. The stablecoin is backed by less than $1 of value, and the peg breaks.

Liquidity crisis

In March 2023, USDC briefly dropped to $0.87 when Silicon Valley Bank collapsed — Circle held $3.3 billion of USDC reserves there. The peg recovered after the bank was rescued, but for days holders didn't know if they'd lose 13% or more.

Cascade failure

When one stablecoin is used as collateral for another, a depeg in one can trigger a depeg in the other. DAI is partially backed by USDC — so USDC's 2023 depeg also affected DAI.

The Terra/UST collapse: the worst-case scenario

In May 2022, the algorithmic stablecoin UST (Terra) lost its peg and spiraled to near zero. Its sister token LUNA, which was supposed to absorb selling pressure, went from $80 to less than $0.01. Approximately $40 billion in value was destroyed in under a week.

The mechanism was simple in theory — mint and burn LUNA to keep UST at $1 — but it created a death spiral: as UST fell below $1, the system minted more LUNA to compensate, crashing LUNA's price, which further undermined confidence in UST, causing more selling, more LUNA minting, and so on until both tokens were worthless.

Minor vs. major depegs

$0.99–$1.01 — Normal market noise. This happens daily and usually self-corrects within minutes or hours through arbitrage.
$0.95–$0.99 — Concerning. Something is causing sustained selling pressure. Worth paying attention to.
Below $0.95 — Serious event. For established stablecoins, this is rare and signals a real problem with reserves, collateral, or confidence.
Below $0.50 — Critical failure. The peg mechanism itself is broken. Recovery is uncertain. This is where "stable" money can be lost.

Why it matters: Stablecoins often represent the "safe" portion of a portfolio — money you're explicitly not willing to risk. But different stablecoins carry different peg risks. USDC backed by US Treasuries has a very different risk profile than an algorithmic stablecoin or a yield-bearing token built on multiple layers. Understanding what maintains the peg helps you evaluate how safe your "safe" money really is.

Counterparty risk: who are you trusting?

In traditional finance, you trust your bank to hold your money. In crypto, you might think you don't trust anyone — but that's rarely true. Counterparty risk is the risk that the other party in an arrangement doesn't deliver on their promise.

Where counterparty risk exists in crypto

Centralized stablecoin issuers

When you hold USDC, you trust Circle to actually hold the reserves. When you hold USDT, you trust Tether. If they mismanage, lie about, or lose access to the reserves, your tokens lose value.

Wrapped token custodians

WBTC is Bitcoin "wrapped" for use on Ethereum. The real BTC is held by a custodian (BitGo). You're trusting that custodian to hold the Bitcoin and honor redemptions. If they don't, WBTC becomes worthless.

Bridges

When you bridge tokens to another network, you trust the bridge to lock your tokens safely and mint equivalent ones on the destination chain. Bridges have been the target of some of the largest hacks in crypto history — over $2 billion stolen across bridge exploits.

RWA token issuers

Tokenized real-world assets (like OUSG or BUIDL) depend on a company actually holding the underlying assets — Treasury bills, gold, real estate. If the company fails or commits fraud, the tokens don't reflect real value anymore.

Where counterparty risk is minimal

Native tokens in your own wallet — ETH in your wallet doesn't depend on any third party. You are the sole custodian.
Immutable smart contracts — Protocols like Uniswap or Liquity V2, where the code is deployed and cannot be changed by anyone, have no counterparty — only code risk.
Crypto-backed stablecoins — DAI and BOLD are backed by collateral locked in smart contracts, not by a company's promises. The risk shifts from counterparty to smart contract risk.

Why it matters: The whole promise of crypto is removing intermediaries. But in practice, many positions reintroduce counterparty risk through stablecoins, bridges, wrappers, and centralized services. Knowing who you're trusting — and whether that trust is justified — is essential to understanding what you actually own.

Oracle risk: can your position be tricked by bad data?

Most DeFi protocols don't know the price of anything on their own. They rely on external services called oracles to feed them real-world data — token prices, interest rates, reserve proofs. If the oracle gives wrong data, the protocol acts on wrong information, and your money pays the price.

How oracle risk hurts you

Wrong liquidations

Lending protocols like Aave use oracle prices to decide if your loan is healthy. If the oracle briefly reports ETH at $100 instead of $3,000, your position gets liquidated — even though the real price never dropped. You lose your collateral based on a data error.

Price manipulation attacks

Attackers can manipulate the price source an oracle reads — for example, crashing a token's price on a small DEX, then using a flash loan to exploit a protocol that reads from that DEX. The oracle reports the manipulated price as real, and the attacker profits.

Stale data

If an oracle stops updating (network congestion, outage, or the oracle network going down), protocols act on outdated prices. During a crash, stale high prices mean liquidations happen too late — leaving the protocol (and its depositors) holding bad debt.

Cascade failures

When multiple protocols use the same oracle, a single oracle failure can cascade across the entire DeFi ecosystem. A wrong price from Chainlink could simultaneously affect Aave, Compound, and every protocol reading that feed.

What makes oracle risk higher or lower

Lower risk: Major assets (ETH, BTC) on established oracles (Chainlink, Pyth) with many data providers and deep liquidity across sources. Hard to manipulate, rarely stale.
Medium risk: Mid-cap tokens with fewer data sources. Price feeds update less frequently. Manipulation becomes feasible with enough capital.
Higher risk: New tokens, exotic pairs, or LP token prices derived from on-chain calculations. Often rely on a single DEX pool as the price source — easily manipulated with a flash loan.
Highest risk: Protocols that use their own on-chain price calculations (like a spot pool price) instead of a decentralized oracle network. This is the most common attack vector in DeFi hacks.

Learn more about how oracles work in our guide: What is a blockchain oracle?

Why it matters: You can use the most audited, battle-tested protocol in the world — but if it reads from a bad oracle, your position is at risk. Oracle quality is one of the most overlooked risks in DeFi, and one of the most exploited attack vectors. Before depositing large amounts, check which oracle a protocol uses and how many independent data sources feed into it.

Complexity risk: how many things can go wrong?

The more layers of technology between you and your money, the more things can potentially fail. Each layer adds its own risk.

Simple: ETH in your wallet

One layer: the Ethereum network. Your risk is limited to losing your private key or the Ethereum network itself failing (extremely unlikely).

Medium: ETH staked in Lido

Two layers: Ethereum + Lido's smart contract. If Lido's contract has a bug, your staked ETH is at risk.

Complex: wstETH bridged to Arbitrum, deposited in Aave

Four layers: Ethereum + Lido + bridge + Aave on Arbitrum. A problem in any one of these affects your position.

Very complex: LP in a vault on a bridge

Five+ layers: underlying tokens + liquidity pool + vault strategy + bridge + destination chain. Each layer multiplies the risk surface.

Mobility risk: how expensive is it to move?

Not all networks cost the same to use. Moving tokens on some networks is nearly free, while on others it can cost $10, $50, or more per transaction.

Very low cost: Solana (fractions of a cent), most Layer 2s (under $0.10)
Low cost: BNB Chain, Polygon, Tron
High cost: Ethereum mainnet — gas fees can spike to $50+ during high demand
Very high cost: Bitcoin — fees vary dramatically, from $1 to $30+

Mobility risk matters when you need to react quickly. If ETH gas fees are $50 and you need to add collateral to avoid liquidation on a $500 loan, the cost of saving your position is 10% of the loan itself.

Concentration risk: all eggs in one basket

This isn't about a single token's properties — it's about your portfolio as a whole. Concentration risk means having too much of your value dependent on one thing.

Token concentration — 80% of your portfolio in one cryptocurrency
Network concentration — All your positions on a single blockchain
Service concentration — All your savings in one lending protocol
Underlying concentration — Holding wstETH, stETH, and cbETH thinking you're diversified, but all three are really just ETH

CleanSky measures all of these. Instead of a single "risk score," CleanSky analyzes your portfolio across each of these dimensions independently — volatility, liquidity, sovereignty, inflation, complexity, and mobility — and compares them against your own risk preferences. This gives you a specific, actionable picture: not "high risk," but "high volatility with low liquidity and high complexity on this specific position."

A practical summary

Risk type	The question it answers	Example
Sovereignty	Can someone freeze or block my tokens?	USDT can be frozen; BTC cannot
Inflation	Is the supply growing and diluting my value?	BTC has a fixed cap; many farm tokens inflate endlessly
Liquidity	Can I sell quickly without losing value?	ETH is liquid; an obscure NFT is not
Smart contract	Can the code holding my money fail?	Battle-tested Aave vs. a new unaudited protocol
Volatility	How much can the price swing?	USDC barely moves; SHIB can swing 50% in a day
Peg	Can this "stable" token lose its $1 value?	USDC briefly hit $0.87; UST collapsed to near zero
Counterparty	Who am I trusting, and can they fail?	WBTC trusts a custodian; ETH in your wallet trusts no one
Complexity	How many layers of technology are between me and my money?	ETH in wallet (1 layer) vs. bridged LP in a vault (5+ layers)
Mobility	How expensive is it to move or react?	Solana: fractions of a cent; Ethereum: $10-$50
Oracle	Can wrong price data cause my position to be liquidated or exploited?	A flash loan manipulates a DEX price feed, triggering false liquidations
Concentration	Am I too dependent on one token, chain, or service?	80% of portfolio in one token on one network

Understanding these dimensions doesn't mean avoiding risk — it means knowing what you're exposed to and deciding if that's acceptable given your goals. Someone saving for next month should care a lot about volatility and liquidity. Someone investing for 5 years might accept higher volatility for potentially higher returns.

See how your portfolio scores across every risk dimension — volatility, sovereignty, liquidity, and more.

Try CleanSky Free →

Understanding risk in crypto