Research

Beyond APY: The vaults.fyi Reputation Score

vaults.fyi

vaults.fyi

· 4 min read
Beyond APY: The vaults.fyi Reputation Score
Methodology last updated 2026-05-06. First published 2024-12-20. The Reputation Score has evolved since publication. See the Changelog at the end of this post for a record of changes.

Overview

vaults.fyi introduced a Reputation Score to help users navigate DeFi yield opportunities with greater clarity. The score favors protocols that are “Lindy”: the longer a protocol has secured significant capital without incident, the higher its vaults tend to score. A low score does not mean a vault is unsafe; it means the vault has not yet accumulated the track record that the metric rewards.

The score is a single number from 0 to 100, returned in API responses as score.vaultScore, with component scores and any active or decaying flag penalties exposed alongside it.

Methodology: Five Components

1. Protocol Integrity (40%)

Measures the scale of trust a protocol has earned over its operational history: how much TVL it has secured and for how long. A protocol with $500M TVL sustained for two years contributes more positively than one that briefly touched the same TVL for a week. Scoring uses normalized order-of-magnitude anchors (a protocol at the $1M TVL integral floor scores 0; one at the $1Q ceiling scores 100), which keeps the relative spread between large and small protocols stable over time.

2. Pool Diagnostics (20%)

Accounts for liquidity characteristics at the individual pool level, not just the protocol level. A large protocol can host pools with very different liquidity profiles. Aave v3 USDT on mainnet ($5B TVL) is not the same risk profile as Aave v3 pyUSD on mainnet ($12M TVL), even though they are on the same protocol. This component uses the same TVL-over-time approach as protocol integrity, applied to the specific pool, with normalized anchors at $100K and $1Q.

3. Community Adoption (15%)

Measures holder distribution and diversity. More unique holders signal broader trust and reduce concentration risk. Future improvements will refine this dimension by filtering low-value addresses, distinguishing individual holders from protocol-owned positions, and analyzing the ability of large holders to exit and affect liquidity.

4. Underlying Asset Reliability (12.5%)

Evaluates the stability and creditworthiness of the vault’s deposit asset. For stablecoins and pegged assets (ETH/BTC derivatives), this component measures three signals: historical price stability relative to the peg, on-chain liquidity depth at ±2% from the peg, and trading volume across CEXs and DEXs. Assets with a consistent peg and deep liquidity contribute more positively.

This dimension was previously based on Bluechip.org ratings. As of the 2026 update, it uses the proprietary signals above, derived directly from on-chain data and exchange feeds.

5. Underlying Blockchain Security (12.5%)

Assesses the maturity and security of the network the vault runs on. For Ethereum L2s, vaults.fyi uses the L2Beat Stages framework as input. For alt-L1s like Polygon and Gnosis, the component is set at the equivalent of a Stage 0 L2. Mainnet Ethereum contributes the highest value by default.

Flag Penalties

Active flags on a vault (bad-debt incidents, security exploits, governance concerns, and similar warnings) directly reduce its Reputation Score:

  • Critical: -50 points
  • Warning: -25 points

Only the single largest active penalty applies. Flags do not stack.

When a flag is resolved, the penalty does not disappear immediately. It decays gradually over 365 days using a square-root curve, so a vault that has dealt with an incident recovers trust incrementally rather than resetting overnight. A resolved warning is -17.8 points after 1 month, -7.5 points after 6 months, and 0 after 12 months.

This mechanic means that vaults exposed to recent incidents (for example, downstream-exposed Morpho vaults during the April 2026 Kelp rsETH exploit) carry a visible numeric penalty in their Reputation Score, propagated automatically rather than relying on manual de-rating.

The score.penaltyComponents field in API responses shows each active or decaying penalty, its severity, and resolution status. score.totalScorePenalty shows the total deduction applied to the composite score.

Not Rated State

Protocols and vaults need a minimum amount of tracked history to be assigned a Reputation Score:

  • Protocols with less than 6 months of tracked history: all their vaults return a NULL composite score (Not Rated).
  • Vaults with less than 1 month of tracked history (in protocols that otherwise qualify): that vault returns NULL.

Partial pillar scores (network and asset components) are still shown for Not Rated vaults, since those signals are independent of vault track record. This makes the absence of a composite score transparent rather than silently scoring vaults that haven’t been observed long enough.

Key Distinctions

The metric measures reputation, not risk. A high score does not guarantee safety; it means the vault has passed more of the tests that time imposes. A low score does not mean a vault is dangerous; it often means a vault is too new to have accumulated track record.

The Reputation Score complements expert assessments from organizations like LlamaRisk, Chaos Labs, and Gauntlet. It is designed for programmatic filtering, not as a substitute for risk reports or detailed due diligence.

Using the Score in Integrations

Builders integrating vaults.fyi can filter vaults by minimum Reputation Score using the minVaultScore query parameter:

GET /v2/detailed-vaults?minVaultScore=70

Full integration reference: docs.vaults.fyi/methodology/reputation-score.

Practical thresholds:

  • Consumer wallets and fintechs: 70+ (only well-established vaults).
  • Sophisticated yield products: 60 or 50 to capture emerging opportunities while filtering the long tail.
  • Institutional flows: combine minVaultScore with curator filters and tags to express specific risk policy.

Known Limitations

The Reputation Score is objective and formula-driven, which means it has edges:

  • Does not account for governance risk, upgrade mechanisms, or admin key exposure.
  • Does not include smart contract audit status as a direct input.
  • Networks not rated by L2Beat may not receive blockchain security component scores.
  • Flag penalties reflect known incidents surfaced by vaults.fyi; they do not capture all possible risk vectors.
  • A long-running risky protocol can score well; a well-audited new protocol will score low until it builds history.

These edges are intentional. The score is meant to be one input among several, not a complete risk verdict.

Changelog

2026-05-06 — Reputation Score v2

  • Introduced flag penalties with 365-day decay (Critical -50, Warning -25, decaying on a square-root curve after resolution).
  • Replaced log-base TVL scoring with normalized order-of-magnitude anchors (vault TVL: $100K floor / $1Q ceiling; protocol TVL: $1M floor / $1Q ceiling).
  • Introduced a Not Rated state for protocols with under 6 months of history and vaults with under 1 month.
  • Rewrote the Underlying Asset Reliability dimension. Previously based on Bluechip.org ratings; now uses proprietary peg-stability tracking, ±2% on-chain liquidity depth, and CEX/DEX trading volume.
  • Added Lindy framing as the explicit organizing principle.

2024-12-20 — Original publication

Read more