Vault Due Diligence
Six-step vault assessment for risk score, vectors, audit status, oracle freshness, holder concentration, and events.
This guide walks through a complete due diligence assessment of a DeFi vault using the Philidor API.
Step 1: Look Up the Vault
curl https://api.philidor.io/v1/vault/ethereum/0x8eB67A509616cd6A7c1B3c8C21D48FF57df3d458Check the top-level fields first:
total_score, the composite risk score from 0 to 10risk_tier, Prime, Core, or Edgeis_audited, whether the protocol version is auditeddeposit_status, the canonicalopen,closed, orunknowndeposit signalis_depositable, compatibility boolean derived from on-chain deposit checksdeposit_capacity_usd, USD-denominated headroom remaining before the cap. Use it to size positions.nullmeans uncapped or unknown.strategy_type, what the vault does, such as lending or yield aggregation
Step 2: Examine Risk Vectors
The risk_vectors field breaks the score into four independent dimensions:
| Vector | Weight | What to look for |
|---|---|---|
| Asset Composition | 30% | Asset category, review status, evidence freshness, cap reasons |
| Platform and Strategy | 30% | Protocol age, audits, strategy type, dependencies, incidents |
| Control and Governance | 20% | Immutability, pause controls, timelock length |
| History | 20% | Recent instability, unresolved events, lifetime Critical loss |
Red flags:
- Any vector scoring below 3
- Asset vector constrained by hard-fail/override/staleness caps
- Platform vector dragged down by incident decay
Step 3: Review Audit Status
Check the audit fields:
audit_status- "audited" or "unaudited"auditors- list of audit firmsaudit_date- when the audit was completedaudit_report_url- link to the full report
Audit quality is a major platform input and can also inform hard-fail/suitability outcomes, but score limiting is applied via explicit caps and explainability outputs rather than a single forced-tier rule.
Step 4: Check Oracle Freshness
curl https://api.philidor.io/v1/oracle-vector/freshnessVerify that the oracle feeds for the vault's assets are fresh and updating. Stale oracles are a leading indicator of potential issues.
Step 5: Review Holder Concentration
curl https://api.philidor.io/v1/vault/ethereum/0x8eB67A509616cd6A7c1B3c8C21D48FF57df3d458/holdersLook for:
coverage_status, which should becompletebefore treating concentration metrics as finalexternal_top1_pct,external_top5_pct, andexternal_hhiprotocol_managed_pct, which separates protocol-owned infrastructure from external holderstop_holders, including entity labels where available
Step 6: Review Events and History
curl https://api.philidor.io/v1/vault/ethereum/0x8eB67A509616cd6A7c1B3c8C21D48FF57df3d458/eventsLook for:
- Incidents, including security events or losses
- Allocation changes, since frequent rebalancing may indicate instability
- Parameter changes, including fee changes and cap adjustments
Decision Framework
| Score | Typical Action |
|---|---|
| 8.0+ (Prime) | Suitable for core allocations. Monitor for tier changes. |
| 5.0-7.9 (Core) | Acceptable with active monitoring. Size positions accordingly. |
| < 5.0 (Edge) | Requires deep due diligence. Consider size limits. |
| not_assessed | Treat as unreviewed exposure; require explicit internal approval |
Using the MCP Server
With the MCP server, you can run the entire assessment with a single prompt:
"Run a due diligence report on the Gauntlet USDC vault at 0x8eB67A509616cd6A7c1B3c8C21D48FF57df3d458 on Ethereum"
This triggers the vault_due_diligence prompt which orchestrates multiple tool calls automatically.
USDT/USDT0 DeFi Vaults
A reference basket of USDT and USDT0 DeFi lending vaults across Philidor's Prime and Core risk tiers. USDT0 is Tether's OFT (LayerZero omnichain) variant, and the two tokens are treated as one asset family, so a vault accepting USDT on Ethereum and a vault accepting USDT0 on Base or Arbitrum is eligible. The basket admits vaults at both Prime (risk_score ≥ 8) and Core (5 ≤ risk_score < 8) tiers, with score-weighted allocation pivoting at 5.0 so Prime vaults dominate by weight while Core names remain represented. Diversity rules seat at least 2 protocols and cap any single protocol at sixty percent of the 10 available slots.
Portfolio Risk Analysis
Paste any Ethereum address to get a full risk breakdown — tier distribution, protocol concentration, and exposure alerts.