Credora is proposing an enhancement to the Network Protocol Probability of Default (PD) calculation, a component of the Smart Contract Custody Sub-Methodology. The enhancement introduces a model to more robustly quantify base smart contract exploit risk per network, considering the relative maturity and development of blockchain ecosystems.
The Network Protocol PD quantifies the average annualized probability that a protocol operating on a specific network will experience an exploit event. It quantifies a baseline risk inherent to protocols utilizing smart contract custody solutions, encompassing mature protocols and newer unaudited protocols. Importantly, this baseline serves as the foundation for further refinement through various adjustments, allowing Credora to account for protocol-specific characteristics that exhibit a correlation with either reducing or increasing exploit risk. Subsequent adjustments—including those related to audit quality, contract maturity, and operational dependencies—are applied to ensure that the final PD appropriately reflects the unique risk profile of individual decentralized finance (DeFi) protocols.
The enhanced model leverages network maturity as the primary determinant of exploit vulnerability, ensuring that the Network Protocol PD evolves alongside network growth. This change strengthens the foundation of Credora’s assessment of smart contract custody risk, providing a robust and adaptable framework for capturing systemic network-level exploit risks.
Current Methodology
Under the current methodology, the Network Protocol PD is determined based on historical exploit rates observed on the Ethereum network, using empirical data to establish an annualized default estimate.
Specifically:
- A quarterly protocol exploit rate is calculated for 2022 and 2023, measured as the number of exploit events divided by the estimated number of protocols. Exploit data is sourced from Immunefi, while protocol counts are estimated using DefiLlama data.
- Separately, a quarterly realized loss rate is calculated, measured as the magnitude of exploit losses relative to Ethereum’s Total Value Locked (TVL), with LGD estimates applied to refine loss projections.
These analyses result in an annualized Network Protocol PD of approximately 4% for Ethereum. This figure reflects an average probability of default across the full range of protocols on the Ethereum network.
The 4% PD serves as the baseline risk measure for Ethereum-based protocols, where calibration multipliers are subsequently applied to account for protocol-specific characteristics.
Proposed Enhancement
The proposed enhancement updates the methodology to introduce a Negative Binomial (NB) regression model, which models exploit risk as a function of network maturity. This model incorporates two key elements:
1. Maturity-Based Risk Modeling
The model uses network maturity, defined as the number of days since the first active protocol deployment on a network, as the primary risk driver. Analysis of exploit data across multiple networks demonstrates a clear inverse relationship between network maturity and exploit frequency.
This relationship is supported by several structural and behavioral factors.
- Progressive security enhancements in network infrastructure
- Increased audits, formal verification, and improved developer practices
- Attraction of skilled developers and institutional participation
- Enhanced governance standards and robust community-driven security protocols
- Improved incident response mechanisms and tooling
2. Empirical Data & Dynamic PD Decay
Drawing on 184 exploit events recorded from 2020 to 2024 across seven blockchain networks (Ethereum, Arbitrum, Polygon, Avalanche, Optimism, Base, and Solana), the model identifies:
- A 2.5% annualized baseline PD at the point when the first protocol becomes active on a network.
- A 6% annual decay rate in relative terms, reflecting the observed trend of declining exploit rates as networks mature.
For example, a network with an initial 2.5% PD would see this figure decline to approximately 2.36% after one year, assuming no material shifts in risk factors.
This approach offers a more granular, forward-looking measure of exploit vulnerability that adjusts as blockchain ecosystems evolve.
Scope of Application
The enhanced Network Protocol PD will apply across all blockchain networks evaluated under the Credora Smart Contract Custody Sub-Methodology. It serves as the key input for assessing systemic exploit risks tied to smart contract custody structures, ensuring Credora’s token risk ratings remain responsive to changes in network maturity.
Next Steps
Credora invites feedback from market participants, developers, and risk professionals on the proposed Network Protocol PD enhancement. We are specifically seeking input on:
- The use of network maturity as the primary risk factor
- The appropriateness of the 2.5% baseline PD and 6% annual decay
- Potential application of this model to additional blockchain networks as more exploit data becomes available
Following community discussion, the implementation of the enhanced Network Protocol PD will also be accompanied by a review and adjustment of downstream modifiers within the Smart Contract Custody Sub-Methodology. These modifiers will be revisited to ensure consistency and alignment with the updated baseline PD framework.
Become a Contributor on the Credora Forum to participate in discussions and provide feedback on this methodology enhancement. Contributors can actively engage with methodology documentation, propose refinements, and shape Credora’s risk assessment approach. To apply, click the blue banner at the top of the page or follow the steps outlined in this article.