Links

Risk evaluation

We aproach the evaluation using several aspects.

TVL impact

The TVL (total value locked) impact is a figure between 1 and 5 as well, where 1 is the lowest impact labeled “low” (above 50MM) and 5 is the highest impact in TVL less than 100k. This table measures how to allocate to new riskier strategies without having a catastrophic event in case of a hack or issue. The TVL is measured in USD and grows dynamically based on strategies allocations onchain. At 2Pi keep track of the TVL and risk score to make fund allocation decisions and mitigations if a strategy group has fallen into the “red” high-risk zone:
TVL Impact
Score
Extreme: less than USD 100K
5
Very high: less than USD 1M
4
High: less than USD 10M
3
Medium: less than USD 50M
2
Low: > USD 50M
1

Testing

Testing score is a metric of how much of the codebase for the strategy has been tested. It uses the test coverage number as a reference, higher coverage means the developer/strategist took time to test most of the operations of the strategy in a unit test or fork environment. This score assumes a less tested strategy entails more risk since we know less about what is expected from the code:
% Covered
Score
Less than 20% coverage in testing
5
Less than 40% coverage in testing
4
40% to 80% coverage
3
80% to 90% coverage
2
Over 90% coverage in testing
1

Protocol safety

We leverage the deep DD procees implemented by DeFiSafety, and we make the different disctintion:
% in DefiSafety
Score
< than 10% or no DD by Defisafety
5
10% to 49% score
4
50% to 84% score
3
75% to 89% score
2
> than 90% score
1

Audit

Auditing is the process where an audit firm or an external security researcher reviews the code for any potential vulnerabilities and presents a report for mitigation. Audits usually take longer than an internal security review and are not immediately available given the demand for audits in the space, so most strategies are sent to production with no audits (thus high-risk score) to keep their TVL limited. This strikes a balance of validating the strategy in production with a calculated risk while we schedule a proper audit. The risk score helps us prioritize which strategies should get audited first, based on impact and other dimensions of scoring:
Audit status
Score
No audit by a trusted firm or security researcher
5
Audit by trusted firm or security researcher took place 6 months+ ago
4
Audit by trusted firm or security researcher took place 3 months+ ago
3
Audit less than 3 months ago. Independent audit by a trusted firm.
2
Audit less than 3 months ago. In total, 3 or more independent audits by trusted firms.
1

Strategy complexity

Here we asses how much code, found movements and other related steps are involved on the process of earning yield.
Complexity
Score
Strategy that comprise a potential IL and leverage position with IL
5
Strategy that compromise leverage position with different assets
4
Strategy with pool of assets not battletested
3
Strategy of auto compounding and a combination of a secondary strategy on top
2
Strategy of auto compounding only
1

Longevity

How long the strategy has been running live on 2Pi:
Score Longevity
Text
New code. Released less than 1 week ago
5
Code has been live less than a month
4
Code has been live 1-4 months
3
Code live 4+ months
2
Code live 8+ months. No critical issues and no changes in code base over this time
1