Back to Blog

DeFi risk metrics: what TVL, market cap, and protocol-owned liquidity actually measure

by Dmytro Zap
8m

Intro

Every popular on-chain metric answers one narrow question, and only protocol-owned liquidity answers whether a project is safe to trust for the long run.

In May 2022, Anchor Protocol held close to $17 billion in deposits and advertised a 19.5% yield. Six weeks later it held almost nothing, and Terra's collapse erased roughly $40 billion across LUNA and UST.

The deposits were real the whole time. The number that kept climbing right up to the end was Total Value Locked, and it told a story about size that had nothing to do with safety. Anyone reading TVL as a trust signal was reading the wrong metric for the question they actually had. That mismatch, not the metric itself, is where most retail and institutional readers get hurt.

What DeFi risk is, and why one metric never captures it

DeFi risk is the probability that a protocol fails or its users lose money, and no single on-chain number captures it, because every popular metric answers only one narrow question. TVL answers how much capital is parked. Market cap answers what the market thinks a token is worth. Neither was built to answer whether the thing survives.

The mistake is treating a big, green, rising number as a verdict. A metric is an answer, and an answer is only useful if you asked it the right question. When you line up TVL, market cap, trading volume, and protocol-owned liquidity and label the exact question each one answers, the gaps become obvious, and one metric turns out to carry the durability question the others quietly dodge.

What does TVL measure in a DeFi protocol?

Total Value Locked (TVL) measures how much capital sits in a protocol's contracts at a given moment, and it answers "how much is parked here," not "is this safe." It's a snapshot of deposits, and deposits move.

Most TVL in a high-yield protocol is mercenary liquidity, capital that arrives for an incentive and leaves the block the incentive stops. Anchor's deposits climbed because the 19.5% yield was subsidized, and when the subsidy and the peg broke, the same TVL that looked like strength became a bank run in fast-forward. A serious defi protocol risk assessment reads TVL as a measure of how much is exposed if things go wrong, not as evidence that they won't. High TVL tells you the size of the fire, never whether the building is fireproof.

What market cap tells you, and what it hides

Market capitalization (MCAP) tells you what the market currently thinks a token is worth, calculated as circulating supply times price, and it answers a pricing question, never a solvency one. LUNA carried a market cap above $40 billion days before it went to effectively zero.

Market cap is an opinion poll priced in dollars, and opinions reprice in seconds. It also hides two things worth checking directly. A low circulating float with a high fully diluted valuation means most of the supply hasn't hit the market yet, so today's price is thin and easy to push. And market cap says nothing about whether the treasury behind the token is solvent, which is why a $40 billion market cap and a bank run can coexist in the same week.

Trading volume, APY, and risk-adjusted yield in DeFi

Trading volume measures how actively a token changes hands, and headline APY measures an advertised return, but neither is a risk-adjusted yield, which discounts that return by the odds the protocol fails before it pays. A 19.5% yield with a meaningful chance of going to zero is not a 19.5% yield.

Volume is the easiest of these to fake, because wash trading loops the same capital between wallets to manufacture the appearance of demand. The useful defi yield product risk assessment metrics are the ones that ask where the yield comes from: real fees from real users, or emissions printed to attract mercenary deposits that leave when the printing slows. Risk-adjusted yield in DeFi is the honest version of the APY banner, and it's almost never the number on the banner.

Protocol-owned liquidity: the metric closest to long-term trust

Protocol-owned liquidity, often shortened to PoL, measures the share of a protocol's trading liquidity that the protocol itself owns rather than rents from outside providers, and it is the closest single metric to answering whether a project is safe to trust over the long run. Owned liquidity can't be withdrawn by a mercenary farmer chasing the next incentive, because the protocol holds it.

SushiSwap proved the fragility of the alternative in September 2020, when its vampire attack pulled over $1 billion in liquidity out of Uniswap using SUSHI rewards, then watched much of it leave again once the rewards thinned. OlympusDAO answered that fragility in 2021 by selling bonds to buy and hold its own liquidity, so the protocol owned the market it depended on instead of renting it by the week. The mechanism is the whole point: rented liquidity is a promise that lasts exactly as long as the yield, and owned liquidity is skin in the game that survives a bad month. High protocol-owned liquidity doesn't certify a project safe, but it does answer the durability question that TVL and market cap can't.

How do you assess risk across Solana DeFi protocols?

To assess risk across Solana DeFi protocols, read each metric as the answer to its own question and never let one number stand in for durability: TVL for size, market cap for pricing, protocol-owned liquidity for staying power. The chain changes the mechanics, not the discipline.

A practical crypto project risk assessment checklist runs the same on Solana as on Ethereum:

  • Read TVL as exposure, not endorsement, and check how much of it is incentivized.
  • Read market cap next to fully diluted valuation and circulating float, so a thin, pushable price doesn't read as a strong one.
  • Discount every advertised APY into a risk-adjusted yield before you compare products.
  • Weigh protocol-owned liquidity (PoL) against rented liquidity as your durability proxy.
  • Trace dependencies, because a protocol inherits the risk of every oracle, bridge, and stablecoin it touches.

Those are the core defi protocol risk assessment methods, and they double as a treasury defi risk assessment when a fund has to defend where the capital sits. Good defi risk management isn't picking the highest number. It's knowing which question each number answers and refusing to let one stand in for the rest.

Why no single metric is a full DeFi risk assessment

No single on-chain metric is a complete DeFi risk assessment, because failure shows up across security, solvency, governance, and dependencies, and none of the numbers above aggregates them. Protocol-owned liquidity is the best durability proxy on the list, and it's still one input, not a verdict.

The deeper problem is that every metric in this piece was built for a different job and got drafted into risk duty later. TVL was built to rank protocols by deposits on ecosystem leaderboards, a size metric that readers grabbed because it was the nearest number available. Market cap was lifted from equities, a pricing formula that answers what a token trades for, not what backs it. Volume and APY were built to advertise activity and yield. Even protocol-owned liquidity started as OlympusDAO's bonding strategy for buying market depth, and earned its durability reading only because owned liquidity happened to correlate with staying power. A protocol risk assessment assembled from repurposed metrics inherits every one of those blind spots.

Probability of Loss: the DeFi risk metric built for the risk question first

Probability of Loss is the metric built from its first criterion to answer the question this whole piece has been circling: how likely is it that a project fails or its users lose money. It also shares its initials with protocol-owned liquidity, so the two need separating before either gets used. Protocol-owned liquidity (PoL) measures who owns the market depth. Probability of Loss (PoL) scores the odds of the loss itself.

The index comes from CORE3, and the limits come first. CORE3 is not a ratings agency, its metrics do not constitute investment advice, and a low Probability of Loss does not mean a project is certified, approved, or risk-free. What the score does is aggregate what no single on-chain number can. The methodology evaluates over 85 assessment metrics across 29 project categories and six risk areas: security posture, financial integrity, operational maturity, reputational posture, regulatory compliance, and dependency risks. The output is one number from 0 (Exceptional) to 100 (Critical), and it's dynamic, so a security or operational incident moves it the way this piece argues risk moves: fast, and across domains TVL never sees.

TVL tells you how much is parked. Market cap tells you what the crowd is guessing. Protocol-owned liquidity tells you whether anyone building the thing has to stay. Probability of Loss is the number that was asked the risk question first. It won't certify anything safe, and it isn't advice. It makes the risk readable before you commit capital. Check a project's PoL score at core3.io.