Why crypto compliance doesn't reflect project's risk posture?

On April 13, 2025, the MANTRA token lost 90% of its value in under 24 hours. The project had a VARA license from Dubai. It had institutional partnerships with DAMAC Properties. It had a billion-dollar RWA tokenization pipeline. Likewise, it had everything that's supposed to signal credibility in today's crypto market.

OM dropped from $6.30 to $0.37, leading to more than $5.5 billion in market capitalization disappearing overnight.

The license didn't prevent 17 wallets from depositing 43.6 million OM tokens to exchanges in the hours before the crash. It didn't prevent forced liquidations cascading through thin Sunday-evening liquidity. It didn't address the fact that roughly 90% of circulating supply was concentrated in a handful of addresses, making the token's price inherently fragile regardless of what any regulator had approved.

The confusion starts with what people think a license means.

When VARA granted MANTRA a Virtual Asset Service Provider license in February 2025, it confirmed that the project met certain organizational, AML/KYC, and disclosure requirements at the time of issuance. It authorized the project to operate as a digital asset exchange and provide broker-dealer services in the UAE.

What a VASP license does not evaluate: whether the token's liquidity can withstand a large sell order. Whether the circulating supply is concentrated enough that a few wallets moving simultaneously can trigger a death spiral. Whether institutional partners have lockup agreements that actually prevent dumping. 

After the crash, MANTRA's CEO said one of his first calls was to VARA. The regulator stayed in contact, and the license remained active. There was nothing to revoke, because the license was never designed to prevent what happened.

The industry treats crypto compliance and crypto risk as though they're the same thing, where noncompliant = risky, and compliant ≠ risky. They're not.

Compliance is backward-looking. It confirms that a project met a set of requirements at a point in time. It covers legal structure, anti-money-laundering processes, custody arrangements, disclosure obligations. These are necessary, and we argue not otherwise.

Risk is forward-looking. It asks, given everything measurable about this project right now, what is the probability that something goes wrong?

To be fair, modern crypto regulation frameworks aren't blind to operational concerns. MiCA, VARA, and others include requirements around cybersecurity practices, governance structures, and even some dependency disclosures. But the depth of what they evaluate in those areas remains limited compared to what actually causes collapses. A framework might require a cybersecurity policy to exist. It won't measure whether signing key rotation is practiced, whether incident response has been tested under stress, or whether admin access is scoped to prevent a single compromised credential from draining the treasury.

MANTRA checked all the regulatory boxes. OKX later alleged that the project's token economics had undergone major changes since October 2024, and that significant USDT loans were secured by OM collateral. That liquidity structure made the token vulnerable to exactly the kind of forced liquidation cascade that occurred. None of that was visible in the license.

Compare MANTRA's collapse with Hyperliquid's response to the JELLY manipulation attack in March 2025. Three coordinated accounts exploited a dependency in Hyperliquid's liquidation mechanism, leaving the exchange's vault with $13.5 million in unrealized losses and crashing the HYPE token 20%.

Hyperliquid isn't operating under a license in any major jurisdiction. But when the attack hit, the team responded in two minutes. Validators convened, delisted the manipulated token, and closed positions at pre-attack prices. ZachXBT noted the irony: the team had previously claimed inability to address other issues, but moved instantly when its own vault was at risk. The governance wasn't perfect, and the speed of the override raised legitimate questions about the project's actual decentralization.

Still, the contrast is instructive. A regulated project with a VARA license collapsed under a dependency its compliance framework didn't see. An unregulated exchange with no traditional compliance framework contained an attack through operational governance. Neither compliance nor its absence predicted what happened. 

The MiCA regulation went into full enforcement across the EU in 2025. More than 50 firms had licenses revoked, over 18% of platforms exited the market, and regulators issued over €540 million in fines. MiCA is working as designed: filtering out firms that can't meet basic administrative standards.

But MiCA barely touches DeFi: implementation varies dramatically across member states. And a MiCA-licensed exchange can still have concentrated liquidity, single-point-of-failure admin keys, and dependency on one market maker. The regulation raises the floor, and that's real progress, what it doesn't measure are the factors that caused the largest collapses of 2025.

Compliance frameworks measure what regulators care about: legal structure, consumer protection, money laundering prevention. These are important, and the industry is better with them than without.

But when CORE3's PoL evaluates projects across six domains, regulatory compliance is one of them. Projects that lack it receive higher digital asset risk exposure in that dimension. CORE3 recognizes its importance, but it's one of six categories of risk. 

The operational domain measures admin key management, incident response maturity, developer access control. The dependency domain measures market maker concentration, oracle reliance, infrastructure single points of failure. The financial domain measures liquidity depth, reserve quality, token supply distribution.

Unlike the logo of VARA compliance, these are the factors that determined whether MANTRA survived a Sunday evening liquidation cascade. 

The question isn't whether compliance matters. It does. The question is whether the market confuses a regulatory receipt with actual crypto risk management.

The first question has an established framework. The second one is what the industry is still building.

Dmytro Zaporozhchenko, CORE3 content lead, has a background in public relations for cybersecurity firms, centralized exchanges, and DeFi projects.