Why digital asset risk assessment needs more than TVL

Crypto keeps asking for another trillion in market cap. Institutional allocations. Enterprise use. The wait has gone on for years.

But institutions that want crypto to do real work do not want to run chains or babysit brittle infrastructure. Then comes the part the industry never handled: risk. Crypto left institutions to deal with it on their own.

Every protocol behaves differently. Every chain is built differently. The market offers no common ground. No shared standard. No agreed way to measure risk across protocols, chains, or asset types. Faced with that gap, institutions fall back on habit and build everything themselves.

Coinlaw reports that in 2025, 72% of institutional Web3 participants ran their own formal crypto risk programs. They rely on internal models, checklists, and teams to produce long reports. Those reports would be unnecessary if, after nearly 20 years, the industry had produced a shared risk standard.

Here's what the market actually provides for risk assessment:

1. TVL tracks capital in a protocol, not whether that capital is safe. Terra held $40 billion before collapsing overnight.
2. Market cap reflects token demand, not system health. Price can surge while security erodes.
3. Audit status is binary and frozen in time. 80% of exploited protocols in 2024 had none. Many that did still failed.
4. GitHub activity counts commits without context. The most stable protocols often have the least activity.
5. On-chain activity monitoring to wallet clusters, assess transaction risks, and counterparty behaviors

Social metrics measure marketing spend. The loudest communities typically surround the most fragile projects.

These signals answer one question: is a project popular right now? None answer the harder one: will it break. Worse, five of the six can be inflated, rented, or faked. Only audits resist direct manipulation, and even they lose value once the ink is dry and time passes.

The result of relying on these is clear, and it’s not optimistic: In 2024–2025, access control failures and private key compromises accounted for the majority of losses, erasing ~$3.5B from crypto industry. Failures that a standardized risk assessment would have flagged before the first dollar went in.

Retrospectively, it’s easy to state that there were signals, but what was missing was a system that could read them in time.

CORE3 offers due diligence as infrastructure. The output is a single number: Probability of Loss, or PoL — a forward-looking score from 0 to 100 estimating the chance of financial loss when engaging with a crypto project. It aggregates 98 data points across six weighted domains, to quantify the risk exposure of any project in Web3:

The weighting reflects where collapses actually originate.

Security was the reason why 47% of capital extraction happened in 2022, while operational is the most exploited vector in 2025.

The architecture of scoring relies on three layers: conditions (verifiable states like "3-of-5 multi-sig enabled"), rolling up into metrics (smart contract risk, governance maturity), rolling up into categories that produce the final score.

The methodology is public. Every weight, every condition, every threshold. If a score looks wrong, it can be traced to every single data point.

Project ABC gets assessed:

Security: 75. Contracts were audited and most issues fixed, but admin keys use a 2-of-3 multi-sig while the field is shifting toward 3-of-5. A bug bounty exists, but the payout cap is low. 

Operations: 90. The team is public, experienced, and clearly structured. A business continuity plan exists and has been tested. Infrastructure runs on redundant, enterprise providers. 

Financial: 80. Proof of reserves is published monthly with third-party checks. Treasury runway covers 18 months. Liquidity is fine, but concentrated on two exchanges.

Reputation: 50. Two years old, no major incidents, but uneven communication. Docs lag behind development. 

Compliance: 60. No formal license, but legal counsel is engaged, and the structure avoids obvious regulatory risks. 

Dependency: 65. The protocol relies on Chainlink oracles — proven, but still a single point of failure. 

So the project receives scores based on these and ~80 more parameters:

Final probability of loss: 26 | Rating: BBB | High Confidence

Strong operations and decent security offset weaker reputation and passive compliance. Flip those numbers to “great reputation, weak security,” and the same average hides a much worse risk profile.

For the institution, the PoL becomes a marker of risk allocated to a single project. For a project, the risk score becomes a roadmap: 

• Upgrade to 3-of-5 multi-sig, security improves.
• Raise bug bounty caps, another bump.
• Three years of longevity trigger a multiplier up to 1.3x PoL.

Due diligence stops being a custom build. With PoL, it’s done once, the same way, and reused. The last step is choosing whether to act on it.

For builders, PoL turns risk work into something the market can see, with each fix, upgrade, or architecture change moving the number. Credibility becomes trackable and comparable: a project dropping from 45 to 22 probability of loss in six months shows steady work on transparency and security the market wants to see.

For listing teams, PoL provides a pre-screening digital asset risk assessment layer that surfaces what due diligence often misses: which tokens carry elevated delisting risk, how likely a project is to violate listing conditions within months of going live, and what exposure the exchange's traders and market makers inherit from day one. 

For institutions, PoL replaces internal guesswork with one comparable input that fits existing workflows. There’s no need to stitch together audits, social noise, and instinct. The rule becomes simple: pick the least risky counterparty that can handle real enterprise use.

For Web3 investors, PoL offers public access to the deepest risk read a project can have.

13.4 million crypto projects failed between 2021 and 2025 — nearly one in three launches. The signals of future failure existed. The infrastructure to read them didn't.

Now it does.

Dmytro Zaporozhchenko, CORE3 content lead, has a background in public relations for cybersecurity firms, centralized exchanges, and DeFi projects.