Rating Methodology
A comprehensive framework for assessing risk and performance in decentralized yield vaults.
1. Executive Summary
Notara employs a dual-rating system designed to provide institutional and retail participants with actionable intelligence on decentralized yield vaults. Our methodology addresses two fundamental questions:
Risk Tier
“What is the structural risk profile of this vault?”
Categorical assessment: Prime, Core, or Edge
Performance Grade
“Is the vault delivering competitive risk-adjusted returns?”
Relative ranking: A+ through F
This separation enables users to independently evaluate risk tolerance and return expectations, rather than conflating these distinct considerations into a single metric.
2. Risk Assessment Framework
2.1 Framework Design Principles
Our risk assessment framework is constructed around four core principles:
- Objectivity: Factors are defined with explicit, measurable criteria to minimize subjective interpretation.
- Transparency: All scoring criteria are publicly documented. Users can independently verify factor scores.
- Conservatism: When data is ambiguous or unavailable, the framework defaults to more conservative (higher risk) assessments.
- Relevance: Factors are selected based on their empirical correlation with historical DeFi security incidents and vault failures.
2.2 Risk Tier Definitions
| Tier | Score Range | Characteristics |
|---|---|---|
| Prime | 8-10 | Established protocols with comprehensive audits, significant operational history, and conservative strategy implementations. Suitable for risk-averse capital allocation. |
| Core | 5-7 | Solid fundamentals with moderate risk factors. May include newer protocols with strong audits or established protocols with more complex strategies. |
| Edge | 0-4 | Elevated risk profile. May include unaudited protocols, complex leveraged strategies, or vaults with limited operational history. Higher potential returns with correspondingly higher risk. |
3. Risk Factor Definitions
Each vault is evaluated across five discrete risk factors. Each factor receives a score of 0 (highest risk), 1 (moderate risk), or 2 (lowest risk).
3.1 Audit Status
Evaluates the extent and quality of independent security audits performed on the vault's smart contract code.
| Score | Criteria |
|---|---|
| 2 | Audited by a recognized security firm with full coverage of deployed contracts |
| 1 | Partial audit coverage, audit by lesser-known firm, or audit conducted >18 months prior |
| 0 | No independent security audit |
Recognized audit firms include: Trail of Bits, OpenZeppelin, Spearbit, Cantina, Consensys Diligence, ChainSecurity, Sherlock, Code4rena (competitive audits with sufficient prize pools).
Protocol version consideration: Audits are tracked at the protocol version level. For example, Aave v3-lido may have different audit coverage than Aave v3 core.
3.2 Protocol Maturity
Measures the operational track record of the underlying protocol based on deployment duration and code stability.
| Score | Criteria |
|---|---|
| 2 | 12+ months since deployment with no major contract changes in past 6 months |
| 1 | 6-12 months deployed, OR <6 months but fork of battle-tested code |
| 0 | <6 months deployed |
Major contract change definition: Any upgrade that modifies core logic (deposits, withdrawals, strategy execution). Parameter changes (fees, caps) do not qualify.
3.3 Incident History
Assesses historical security incidents affecting the vault or its underlying protocol.
| Score | Criteria |
|---|---|
| 2 | Zero incidents on this vault AND zero incidents on underlying protocol |
| 1 | Protocol-level incident (different vault) fully remediated, OR minor vault incident (<$100K, remediated, >6 months ago) |
| 0 | Major vault incident (>$100K or funds not recovered), OR any unresolved incident |
Remediation definition: Root cause identified, fix deployed, audit of fix completed (if applicable), and 3+ months passed without recurrence.
3.4 Strategy Complexity
Evaluates the inherent complexity and risk profile of the vault's yield-generating strategy.
| Score | Criteria |
|---|---|
| 2 | Simple strategy type + no leverage + all dependencies audited + blue-chip assets only |
| 1 | Moderate strategy type, OR leverage <2x, OR one minor unaudited dependency, OR non-blue-chip assets |
| 0 | Complex strategy type, OR leverage ≥2x, OR core unaudited dependency |
Strategy Type Classifications
| Classification | Strategy Types | Description |
|---|---|---|
| Simple | Lending, Liquidity Provision | Direct deposit strategies with predictable mechanics |
| Moderate | Yield Aggregation, Points Farming, Restaking, Fixed Rate | Multiple protocol dependencies or novel mechanics |
| Complex | Leveraged Lending, Delta Neutral, Options/Derivatives | Amplified exposure, hedging requirements, or derivative instruments |
Asset Classifications
| Classification | Assets |
|---|---|
| Blue-chip | USDC, USDT, DAI, FRAX, LUSD, ETH, WETH, stETH, wstETH, cbETH, rETH, WBTC, tBTC |
| Established | LINK, UNI, AAVE, MKR, LDO, CRV, ARB, OP, SNX, COMP |
| Other | All other assets |
3.5 Upgradeability
Assesses the ability for contract administrators to modify vault behavior and the safeguards in place.
| Score | Criteria |
|---|---|
| 2 | Immutable (no upgrade mechanism) OR upgradeable with ≥7 day timelock |
| 1 | Upgradeable with 2-7 day timelock |
| 0 | Upgradeable with <2 day timelock OR instant upgrade capability |
Immutability definition: No proxy pattern, no admin functions that can modify core logic, no mechanism to change contract behavior post-deployment.
4. Risk Tier Calculation
4.1 Scoring Methodology
The total risk score is calculated as the sum of all five factor scores, yielding a range of 0-10. Tier assignment follows this mapping:
| Total Score | Risk Tier |
|---|---|
| 8-10 | Prime |
| 5-7 | Core |
| 0-4 | Edge |
4.2 Override Rules
Certain conditions trigger automatic tier adjustments regardless of total score:
| Condition | Effect |
|---|---|
| Any factor scores 0 | Cannot achieve Prime tier (maximum: Core) |
| Two or more factors score 0 | Forced to Edge tier |
| No audit (Audit Status = 0) | Forced to Edge tier |
4.3 Warning Flags
Additional contextual warnings are displayed alongside tier ratings but do not affect the tier calculation:
| Condition | Warning |
|---|---|
| TVL < $100K | Limited liquidity |
| Deployed < 1 month | New vault — limited track record |
| Deployed 1-3 months | Recently deployed |
5. Performance Measurement
5.1 Objective
The performance grade measures whether a vault delivers competitive returns relative to comparable alternatives. This enables users to identify outperforming vaults within their selected risk tolerance.
5.2 Peer Group Construction
Vaults are compared exclusively against peers holding the same underlying asset. This ensures like-for-like comparison:
- USDC vaults compete with other USDC vaults
- WETH vaults compete with other WETH vaults
- wstETH vaults compete with other wstETH vaults
Note: Risk tier is intentionally excluded from peer group construction. A Prime USDC vault competes with all USDC vaults regardless of tier, enabling users to assess whether lower-risk options sacrifice meaningful returns.
5.3 Performance Metric
Performance is measured using average APR over the available data period. APR is calculated based on share price appreciation, which reflects actual returns received by depositors inclusive of:
- Base yield (lending interest, trading fees, etc.)
- Reward token emissions (auto-compounded)
- Protocol fees (deducted)
5.4 Grade Assignment
Grades are assigned based on percentile ranking within the peer group:
| Grade | Percentile | Interpretation |
|---|---|---|
| A+ | Top 5% | Exceptional performer |
| A | Top 15% | Strong performer |
| B+ | Top 30% | Above average |
| B | Top 50% | Average |
| C | Bottom 50% | Below average |
| D | Bottom 15% | Weak performer |
| F | Bottom 5% | Poor performer |
5.5 Data Exclusions
The following vaults are excluded from performance grading:
- APR = 0%: Indicates inactive or deprecated vault
- APR < 0%: Vault is losing value (may indicate withdrawal fees or losses)
- Peer group < 5 vaults: Insufficient sample size for meaningful comparison; grade displays as “—”
5.6 Suspicious Yield Flag
Vaults exhibiting APR exceeding 5x the median of their peer group are flagged with a warning: “Greatly outperforming — verify sustainability.” This flag does not affect the grade but alerts users to potential unsustainable incentives or hidden risks.
6. Data Sources & Validation
6.1 Data Source Summary
| Data Point | Source | Update Frequency |
|---|---|---|
| Price per share | On-chain | Daily |
| Total Value Locked | On-chain | Daily |
| Contract deployment date | On-chain | Once (immutable) |
| Timelock configuration | On-chain + manual fallback | On change |
| Audit status | Manual input | On new audit |
| Incident history | Manual input | On incident |
| Strategy classification | Manual input | On vault creation |
6.2 On-Chain Data
Where possible, data is sourced directly from blockchain state to ensure accuracy and verifiability. On-chain data includes share prices (for APR calculation), TVL, contract deployment timestamps, and timelock configurations.
6.3 Manual Data
Certain data points require manual research and input, including audit reports, incident history, and strategy classifications. Manual data undergoes review processes and is updated as new information becomes available.
6.4 Update Schedule
| Component | Frequency |
|---|---|
| Share price / TVL snapshots | Daily |
| Performance metrics | Daily (after snapshot) |
| Performance grades | Daily |
| Risk tier | On input change |
| Full manual review | Quarterly |
7. Methodology Exclusions
The following factors are intentionally excluded from our risk assessment:
| Excluded Factor | Rationale |
|---|---|
| Team / curator identity | Anonymity is a valid operational model in DeFi; we assess the vault, not individuals |
| Asset price volatility | We assess vault execution quality, not underlying asset selection |
| TVL size (above $100K) | Scale does not inherently correlate with security; large protocols have been exploited |
| Governance token price | Not relevant to vault security or operational quality |
| Social metrics | Community size does not predict security outcomes or performance |
8. Limitations & Disclosures
Important Disclosures
- Notara ratings and grades are not investment recommendations.
- All information is provided for educational purposes only.
- Past performance does not guarantee future results.
- Users should conduct independent due diligence before making investment decisions.
8.1 Data Limitations
- Data accuracy: While we strive for accuracy, data may contain errors from source systems, calculation methodology, or manual input.
- Data timeliness: There may be delays between on-chain events and their reflection in our data.
- Data completeness: We may not have access to all relevant information about every vault or protocol.
8.2 Methodology Limitations
- Historical basis: Risk factors are based on historical patterns that may not predict future events.
- Subjective elements: Some classifications (strategy complexity, audit quality) involve subjective judgment.
- Unknown risks: Novel attack vectors or failure modes may not be captured by existing factors.
- Correlation limitations: Factor scores do not capture potential correlations between risks.
8.3 Scope Limitations
- No absolute safety: A Prime rating does not indicate a vault is “safe” — all DeFi carries substantial risk.
- No performance guarantee: High grades reflect historical relative performance, not future expectations.
- No endorsement: Inclusion of a vault does not constitute endorsement or recommendation.
8.4 Methodology Updates
This methodology may be updated periodically to reflect evolving DeFi landscape, improved data sources, or enhanced analytical techniques. Material changes will be documented with version updates. Historical ratings are not retroactively adjusted for methodology changes.
For questions about this methodology, please see our FAQ or review our Disclaimer.
Document version 1.0 · Last updated January 2026