arxiv: 2605.05145 · v1 · submitted 2026-05-06 · 💻 cs.DC · cs.CR· cs.CY· cs.SE

Recognition: unknown

Toward a Risk Assessment Framework for Institutional DeFi: A Nine-Dimension Approach

Eva Oberholzer , Valeriy Zamaraiev (ZWING Intelligence AG , Zug , Switzerland)

Authors on Pith no claims yet

Pith reviewed 2026-05-08 16:38 UTC · model grok-4.3

classification 💻 cs.DC cs.CRcs.CYcs.SE

keywords DeFi risk assessmentnine-dimension frameworkcomposability riskcomprehension debttemporal risk dynamicsprotocol dependenciesinstitutional DeFiincident root-cause analysis

0 comments

The pith

DeFi risk assessment needs nine dimensions because five of twelve major incidents, including the largest systemic events, cannot be fully explained without the three new ones.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proposes extending a six-dimension DeFi risk taxonomy with three additional dimensions—composability risk, comprehension debt, and temporal risk dynamics—plus a transparency confidence modifier to separate assessment reliability from actual risk levels. This extension is grounded in dependency mapping across more than eight thousand protocols and tested against twelve incidents from 2024-2026 that caused roughly 2.5 billion dollars in losses. Five incidents, among them the two with the highest systemic impact, require at least one of the new dimensions for complete root-cause analysis. A sympathetic reader would care because DeFi now handles over 100 billion dollars including regulated assets, yet existing methods lack the structural independence and composability awareness demanded for institutional use. If correct, the framework supplies an explainable, protocol-interaction-aware methodology that prior taxonomies omit.

Core claim

The central claim is that a nine-dimension framework, formed by adding composability risk, comprehension debt, and temporal risk dynamics to the existing six-dimension taxonomy while introducing a transparency confidence modifier, provides complete root-cause characterization for DeFi incidents where prior approaches fall short. Retrospective application to twelve 2024-2026 events shows that five cases, including the two highest-systemic-impact ones, demand at least one novel dimension.

What carries the argument

The nine-dimension risk assessment framework, which augments prior taxonomies through structural dependency analysis of protocol interactions.

Load-bearing premise

The underlying protocol dependency map derived from the ontology infrastructure is accurate and complete enough to reveal when existing dimensions are insufficient.

What would settle it

Independent re-analysis of the same twelve incidents using only the original six dimensions that still fully accounts for root causes in all cases, including the two highest-impact events.

read the original abstract

Decentralized finance (DeFi) protocols now intermediate over USD 100 billion in value, including regulated stablecoins and tokenized assets deployed as collateral, yet no widely adopted framework operationalizes risk assessment at the rigor institutional adoption demands. Existing approaches emphasize protocol-specific parameter optimization or conceptual taxonomies without providing explainable, composability-aware, and structurally independent assessment methodologies. We propose a nine-dimension DeFi risk assessment framework extending the six-dimension taxonomy introduced by Moody's Analytics and Gauntlet with three novel dimensions: composability risk, comprehension debt, and temporal risk dynamics. We additionally introduce a transparency confidence modifier separating assessment reliability from risk severity. The framework is grounded in structural analysis of protocol dependencies conducted through an ontology-based protocol intelligence infrastructure covering more than 8,000 DeFi protocols. We retrospectively analyze 12 major DeFi-related incidents from 2024-2026 representing approximately USD 2.5 billion in direct losses. Five of the 12 incidents require at least one novel dimension for complete root-cause characterization, including the two highest-systemic-impact events in the dataset.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This extends prior DeFi risk work with three new dimensions but the incident analysis lacks the details needed to confirm the main finding.

read the letter

The main takeaway is that this work extends an existing DeFi risk taxonomy by adding three dimensions and a modifier, then applies the result to a set of recent incidents. The extension itself is straightforward, but the support for why the new dimensions are needed is thin. What the paper does is take the six dimensions from Moody's Analytics and Gauntlet and introduce composability risk, comprehension debt, and temporal risk dynamics. It adds a transparency confidence modifier to flag how much the assessment can be trusted. The framework draws from an ontology covering more than 8,000 protocols to map dependencies. The authors review 12 major incidents between 2024 and 2026 that led to roughly 2.5 billion dollars in losses. They report that five of these, including the two with the largest systemic effects, required at least one of the new dimensions to fully characterize the root causes. This approach is useful because it tries to make risk assessment more explainable and aware of how protocols connect. Institutions dealing with DeFi collateral or stablecoins could use the nine dimensions as a starting checklist. The limitation is that the text gives no breakdown of the individual incidents. There are no dependency graphs from the ontology, no explanation of which original dimensions were insufficient in each case, and no stated criteria for when a new dimension becomes necessary. The claim that the ontology is accurate enough to support these judgments is also not tested against outside benchmarks. Readers who work on institutional risk frameworks or DeFi compliance will find the most value. It offers a concrete structure they can adapt, even if they have to fill in the validation steps themselves. The paper deserves peer review. The gap it targets is genuine, and the proposal is concrete enough that referees can help tighten the empirical grounding.

Referee Report

2 major / 1 minor

Summary. The manuscript proposes a nine-dimension DeFi risk assessment framework that extends the six-dimension taxonomy from Moody's Analytics and Gauntlet by adding three novel dimensions—composability risk, comprehension debt, and temporal risk dynamics—plus a transparency confidence modifier. It grounds the framework in structural dependency analysis via an ontology-based protocol intelligence infrastructure covering more than 8,000 DeFi protocols and validates the extensions through retrospective analysis of 12 major incidents (2024-2026, ~USD 2.5B losses), claiming that five incidents (including the two highest-systemic-impact events) require at least one novel dimension for complete root-cause characterization.

Significance. If the supporting methodology is supplied and shown to be reproducible, the work could strengthen institutional DeFi risk practices by offering a composability-aware, structurally independent alternative to parameter-optimization or purely conceptual approaches. The scale of the 8,000-protocol ontology infrastructure is a concrete strength that could enable falsifiable, dependency-mapped assessments; the identification of specific high-impact incidents where prior dimensions fall short provides a direct, testable rationale for the proposed extensions.

major comments (2)

[Abstract and incident-analysis section] Abstract and incident-analysis section: the central claim that 'Five of the 12 incidents require at least one novel dimension for complete root-cause characterization' is load-bearing for the justification of the three new dimensions, yet no ontology-derived dependency graphs, failure-mode assignments to the original Moody's/Gauntlet dimensions, or explicit decision criteria for declaring an existing dimension insufficient are supplied. Without these mappings the determination cannot be checked against the claimed structural map of >8,000 protocols.
[Ontology infrastructure description] Ontology infrastructure description: the grounding claim rests on 'structural analysis of protocol dependencies conducted through an ontology-based protocol intelligence infrastructure,' but the manuscript supplies neither the construction/validation methodology for the ontology nor per-incident examples of how it was applied to attribute root causes. This directly affects verifiability of the five-incident result.

minor comments (1)

[Framework definition] The three novel dimensions are introduced without concise formal definitions or integration rules with the existing six dimensions; adding a short table or paragraph defining each and stating how they interact would improve clarity.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. The comments accurately identify gaps in methodological transparency that are necessary to support the reproducibility of our claims regarding the ontology infrastructure and the incident analysis. We address each major comment below and describe the revisions we will make.

read point-by-point responses

Referee: [Abstract and incident-analysis section] Abstract and incident-analysis section: the central claim that 'Five of the 12 incidents require at least one novel dimension for complete root-cause characterization' is load-bearing for the justification of the three new dimensions, yet no ontology-derived dependency graphs, failure-mode assignments to the original Moody's/Gauntlet dimensions, or explicit decision criteria for declaring an existing dimension insufficient are supplied. Without these mappings the determination cannot be checked against the claimed structural map of >8,000 protocols.

Authors: We agree that the current manuscript lacks the explicit mappings, graphs, and decision criteria needed to verify the central claim. In the revised version we will add a dedicated subsection (and supporting appendix) that: (i) presents simplified ontology-derived dependency graphs for the five incidents, (ii) assigns each incident's failure modes to the original six Moody's/Gauntlet dimensions, and (iii) states the explicit criteria used to determine when an existing dimension is insufficient. These additions will be tied directly to the >8,000-protocol structural map. revision: yes
Referee: [Ontology infrastructure description] Ontology infrastructure description: the grounding claim rests on 'structural analysis of protocol dependencies conducted through an ontology-based protocol intelligence infrastructure,' but the manuscript supplies neither the construction/validation methodology for the ontology nor per-incident examples of how it was applied to attribute root causes. This directly affects verifiability of the five-incident result.

Authors: The referee correctly notes that the manuscript provides only a high-level description. We will expand the 'Ontology Infrastructure' section to include: the data sources and crawling methodology used to cover the 8,000+ protocols, the ontology schema and its validation procedures against known incidents, the dependency extraction algorithms, and concrete per-incident examples (including the two highest-systemic-impact events) showing how the infrastructure was applied to attribute root causes. This will enable readers to assess reproducibility. revision: yes

Circularity Check

0 steps flagged

No significant circularity in the derivation chain

full rationale

The paper extends an external six-dimension taxonomy (Moody's Analytics and Gauntlet) with three novel dimensions, grounding the extension in retrospective analysis of 12 historical incidents via a described ontology infrastructure covering over 8,000 protocols. This does not reduce to self-definition, fitted inputs renamed as predictions, or load-bearing self-citations, as the ontology is presented as an independent structural map and the incidents are external events. No equations, uniqueness theorems, or ansatzes are shown to make the claim that five incidents require novel dimensions equivalent to the inputs by construction. The derivation remains self-contained against the stated external benchmarks and taxonomy.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 3 invented entities

The central claim rests on the unproven accuracy of the authors' ontology infrastructure and on the representativeness of the 12 selected incidents; no free parameters are fitted but several domain assumptions are invoked without external validation.

axioms (2)

domain assumption The six-dimension taxonomy introduced by Moody's Analytics and Gauntlet constitutes a valid and complete base that can be extended without re-derivation.
The paper states it extends this taxonomy directly.
domain assumption The ontology-based analysis of more than 8,000 protocols accurately captures structural dependencies relevant to risk.
This infrastructure is presented as the grounding for the framework and incident analysis.

invented entities (3)

composability risk no independent evidence
purpose: To quantify risks arising from protocol interdependencies and composability.
Introduced as one of the three novel dimensions.
comprehension debt no independent evidence
purpose: To capture risks stemming from incomplete understanding of complex protocol mechanics.
Introduced as one of the three novel dimensions.
temporal risk dynamics no independent evidence
purpose: To account for how risk profiles evolve over time.
Introduced as one of the three novel dimensions.

pith-pipeline@v0.9.0 · 5507 in / 1666 out tokens · 60990 ms · 2026-05-08T16:38:55.791347+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

29 extracted references · 22 canonical work pages · 2 internal anchors

[1]

S&P Global Ratings Corporate Methodology,

S&P Global Ratings, "S&P Global Ratings Corporate Methodology," S&P Global, Jan. 7, 2024. [2] R. C. Merton, "On the pricing of corporate debt: The risk structure of interest rates," Journal of Finance, vol. 29, no. 2, pp. 449–470, May 1974, doi: 10.1111/j.1540-6261.1974.tb03058.x

work page doi:10.1111/j.1540-6261.1974.tb03058.x 2024
[2]

Basel Committee on Banking Supervision, Basel III: Finalizing post-crisis reforms, BCBS d424, Bank for International Settlements, Dec. 2017

2017
[3]

Moody’s Analytics and Gauntlet, Block by Block: Assessing Risk in Decentralized Finance, Moody’s Investors Service, Jan. 2022. 18

2022
[4]

SoK: Decentralized finance (DeFi),

S. M. Werner, D. Perez, L. Gudgeon, A. Klages-Mundt, D. Harz, and W. J. Knottenbelt, "SoK: Decentralized finance (DeFi)," in Proc. 4th ACM Conf. Advances in Financial Technologies (AFT ’22), Sep. 2022, pp. 30–46, doi: 10.1145/3558535.3559780. Preprint: arXiv:2101.08778

work page doi:10.1145/3558535.3559780 2022
[5]

SoK: Decentralized finance (DeFi) — Fundamentals, taxonomy and risks,

K. Gogol, C. Killer, M. Schlosser, T. Bocek, B. Stiller, and C. J. Tessone, "SoK: Decentralized finance (DeFi) — Fundamentals, taxonomy and risks," arXiv:2404.11281 [q-fin.GN], Apr. 2024

work page arXiv 2024
[6]

Assessing risk in DeFi — The Exponential whitepaper,

Enterprise Ethereum Alliance, EEA DeFi Risk Assessment Guidelines, Version 1, Jul. 17, 2024. [8] D. Kuang, O. Rivera, and M. Lebbar, "Assessing risk in DeFi — The Exponential whitepaper," Exponential.fi, ca. 2023

2024
[7]

Chaos Labs Is Leaving Aave,

DeFi Safety, Process Quality Review (PQR) Methodology, Version 0.9, DeFi Safety, 2023. [10] O. Goldberg, "Chaos Labs Is Leaving Aave," Aave Governance Forum, Topic 24386, posted Apr. 6, 2026. https://governance.aave.com/t/chaos-labs-is-leaving-aave/24386

2023
[8]

Manage- ment Science 47, 236–249

L. Eisenberg and T. H. Noe, "Systemic risk in financial systems," Management Science, vol. 47, no. 2, pp. 236–249, Feb. 2001, doi: 10.1287/mnsc.47.2.236.9835

work page doi:10.1287/mnsc.47.2.236.9835 2001
[9]

DebtRank: Too central to fail? Financial networks, the FED and systemic risk,

S. Battiston, M. Puliga, R. Kaushik, P. Tasca, and G. Caldarelli, "DebtRank: Too central to fail? Financial networks, the FED and systemic risk," Scientific Reports, vol. 2, art. 541, Aug. 2012, doi: 10.1038/srep00541

work page doi:10.1038/srep00541 2012
[10]

American Economic Review 105, 564–608

D. Acemoglu, A. Ozdaglar, and A. Tahbaz-Salehi, "Systemic risk and stability in financial networks," American Economic Review, vol. 105, no. 2, pp. 564–608, Feb. 2015, doi: 10.1257/aer.20130456

work page doi:10.1257/aer.20130456 2015
[11]

Systemic risk in DeFi: A network-based fragility analysis of TVL dynamics,

S. Zhang et al., "Systemic risk in DeFi: A network-based fragility analysis of TVL dynamics," arXiv:2601.08540 [q-fin.RM], Jan. 2026

work page arXiv 2026
[12]

DeXposure: A dataset and benchmarks for inter-protocol credit exposure in decentralized financial networks,

W. Wu et al., "DeXposure: A dataset and benchmarks for inter-protocol credit exposure in decentralized financial networks," arXiv:2511.22314 [cs.CR], Nov. 2025

work page arXiv 2025
[13]

DeXposure-FM: A time-series, graph foundation model for credit exposures and stability on decentralized financial networks,

A. Shu et al., "DeXposure-FM: A time-series, graph foundation model for credit exposures and stability on decentralized financial networks," arXiv:2602.03981 [cs.LG], Feb. 2026

work page arXiv 2026
[14]

Mapping microscopic and systemic risks in TradFi and DeFi: A literature review,

S. Aufiero et al., "Mapping microscopic and systemic risks in TradFi and DeFi: A literature review," arXiv:2508.12007 [q-fin.RM], Aug. 2025

work page arXiv 2025
[15]

Computing systemic risk measures with graph neural networks,

L. Gonon, T. Meyer-Brandis, and N. Weber, "Computing systemic risk measures with graph neural networks," arXiv:2410.07222 [q-fin.RM], Oct. 2024

work page arXiv 2024
[16]

The devil is in the tails: Actuarial mathematics and the subprime mortgage crisis,

C. Donnelly and P. Embrechts, "The devil is in the tails: Actuarial mathematics and the subprime mortgage crisis," ASTIN Bulletin, vol. 40, no. 1, pp. 1–33, May 2010, doi: 10.1017/S0515036100015907

work page doi:10.1017/s0515036100015907 2010
[17]

The Formula That Killed Wall Street

D. MacKenzie and T. Spears, "‘The formula that killed Wall Street’: The Gaussian copula and modelling practices in investment banking," Social Studies of Science, vol. 44, no. 3, pp. 393–417, Jun. 2014, doi: 10.1177/0306312713517157

work page doi:10.1177/0306312713517157 2014
[18]

T. Lebo, S. Sahoo, and D. McGuinness, Eds., PROV-O: The PROV Ontology, W3C Recommendation, Apr. 30, 2013

2013
[19]

In: 2023 IEEE Symposium on Security and Privacy

L. Zhou, X. Xiong, J. Ernstberger, S. Chaliasos, Z. Wang, Y. Wang, K. Qin, R. Wattenhofer, D. Song, and A. Gervais, "SoK: Decentralized Finance (DeFi) Attacks," in Proc. 2023 IEEE Symp. Security and Privacy (SP), May 2023, pp. 2444–2461, doi: 10.1109/SP46215.2023.10179435. Preprint: arXiv:2208.13035. 19

work page doi:10.1109/sp46215.2023.10179435 2023
[20]

shadow contagion

@PeckShieldAlert, post on X (Twitter), Apr. 1, 2026, introducing the term “shadow contagion” in connection with the Resolv incident. Corroborated and elaborated in: Sherlock Research Team, The Sherlock Web3 Security Report, Q1 2026, Sherlock, Apr. 6, 2026

2026
[21]

Comprehension Debt in GenAI-Assisted Software Engineering Projects

M. O. Ahmad, "Comprehension debt in GenAI-assisted software engineering projects," arXiv:2604.13277 [cs.SE], Apr. 2026

work page internal anchor Pith review Pith/arXiv arXiv 2026
[22]

From Technical Debt to Cognitive and Intent Debt: Rethinking Software Health in the Age of AI

M.-A. Storey et al., "From technical debt to cognitive and intent debt: Rethinking software health in the age of AI," arXiv:2603.22106 [cs.SE], Mar. 2026

work page internal anchor Pith review Pith/arXiv arXiv 2026
[23]

How AI impacts skill formation,

J. H. Shen and A. Tamkin, "How AI impacts skill formation," arXiv:2601.20245 [cs.LG], Feb. 2026. [27] T. Baum, K. Schneider, and A. Bacchelli, "Associating working memory capacity and code change ordering with code review performance," Empirical Software Engineering, vol. 24, no. 4, pp. 1762–1798, Aug. 2019, doi: 10.1007/s10664-018-9676-8

work page doi:10.1007/s10664-018-9676-8 2026
[24]

Do explicit review strategies improve code review performance? Towards understanding the role of cognitive load,

P. Wurzel Gonçalves, E. Fregnan, T. Baum, K. Schneider, and A. Bacchelli, "Do explicit review strategies improve code review performance? Towards understanding the role of cognitive load," Empirical Software Engineering, vol. 27, no. 4, art. 99, Jul. 2022, doi: 10.1007/s10664-022-10123-8

work page doi:10.1007/s10664-022-10123-8 2022
[25]

Smart contract security: A practitioners’ perspective,

Z. Wan, X. Xia, D. Lo, J. Chen, X. Luo, and X. Yang, "Smart contract security: A practitioners’ perspective," in Proc. IEEE/ACM 43rd Int. Conf. Software Engineering (ICSE ’21), May 2021, pp. 1410–1422, doi: 10.1109/ICSE43902.2021.00127

work page doi:10.1109/icse43902.2021.00127 2021
[26]

Epistemic debt: A concept and measure of technical ignorance in smart manufacturing,

T. B. Ionescu, S. Schlund, and C. Schmidbauer, "Epistemic debt: A concept and measure of technical ignorance in smart manufacturing," in Advances in Production Management Systems (APMS 2019), IFIP AICT, vol. 567, Springer, 2020, pp. 60–68, doi: 10.1007/978-3-030-29996-5_7

work page doi:10.1007/978-3-030-29996-5_7 2019
[27]

ASRI: An aggregated systemic risk index for cryptocurrency markets,

M. Farzulla and A. Maksakov, "ASRI: An aggregated systemic risk index for cryptocurrency markets," arXiv:2602.03874 [q-fin.RM], Feb. 2026

work page arXiv 2026
[28]

Who to regulate? Identifying actors within DeFi’s governance,

A. Born, Z. Gati, C. Lambert, M. Naeem, and A. Pellicani, "Who to regulate? Identifying actors within DeFi’s governance," ECB Working Paper Series No. 3208, European Central Bank, Mar. 2026

2026
[29]

Smart contract and DeFi security tools: Do they meet the needs of practitioners?,

S. Chaliasos, M. A. Charalambous, L. Zhou, R. Galanopoulou, A. Gervais, D. Mitropoulos, and B. Livshits, "Smart contract and DeFi security tools: Do they meet the needs of practitioners?," in Proc. IEEE/ACM 46th Int. Conf. Software Engineering (ICSE ’24), Apr. 2024, art. 60, pp. 1–13, doi: 10.1145/3597503.3623302. Preprint: arXiv:2304.02981. 20

work page doi:10.1145/3597503.3623302 2024