Guides

Vault Due Diligence

Six-step vault assessment for risk score, vectors, audit status, oracle freshness, holder concentration, and events.

This guide walks through a complete due diligence assessment of a DeFi vault using the Philidor API.

Step 1: Look Up the Vault

curl https://api.philidor.io/v1/vault/ethereum/0x8eB67A509616cd6A7c1B3c8C21D48FF57df3d458

Check the top-level fields first:

  • total_score, the composite risk score from 0 to 10
  • risk_tier, Prime, Core, or Edge
  • is_audited, whether the protocol version is audited
  • deposit_status, the canonical open, closed, or unknown deposit signal
  • is_depositable, compatibility boolean derived from on-chain deposit checks
  • deposit_capacity_usd, USD-denominated headroom remaining before the cap. Use it to size positions. null means uncapped or unknown.
  • strategy_type, what the vault does, such as lending or yield aggregation

Step 2: Examine Risk Vectors

The risk_vectors field breaks the score into four independent dimensions:

VectorWeightWhat to look for
Asset Composition30%Asset category, review status, evidence freshness, cap reasons
Platform and Strategy30%Protocol age, audits, strategy type, dependencies, incidents
Control and Governance20%Immutability, pause controls, timelock length
History20%Recent instability, unresolved events, lifetime Critical loss

Red flags:

  • Any vector scoring below 3
  • Asset vector constrained by hard-fail/override/staleness caps
  • Platform vector dragged down by incident decay

Step 3: Review Audit Status

Check the audit fields:

  • audit_status - "audited" or "unaudited"
  • auditors - list of audit firms
  • audit_date - when the audit was completed
  • audit_report_url - link to the full report

Audit quality is a major platform input and can also inform hard-fail/suitability outcomes, but score limiting is applied via explicit caps and explainability outputs rather than a single forced-tier rule.

Step 4: Check Oracle Freshness

curl https://api.philidor.io/v1/oracle-vector/freshness

Verify that the oracle feeds for the vault's assets are fresh and updating. Stale oracles are a leading indicator of potential issues.

Step 5: Review Holder Concentration

curl https://api.philidor.io/v1/vault/ethereum/0x8eB67A509616cd6A7c1B3c8C21D48FF57df3d458/holders

Look for:

  • coverage_status, which should be complete before treating concentration metrics as final
  • external_top1_pct, external_top5_pct, and external_hhi
  • protocol_managed_pct, which separates protocol-owned infrastructure from external holders
  • top_holders, including entity labels where available

Step 6: Review Events and History

curl https://api.philidor.io/v1/vault/ethereum/0x8eB67A509616cd6A7c1B3c8C21D48FF57df3d458/events

Look for:

  • Incidents, including security events or losses
  • Allocation changes, since frequent rebalancing may indicate instability
  • Parameter changes, including fee changes and cap adjustments

Decision Framework

ScoreTypical Action
8.0+ (Prime)Suitable for core allocations. Monitor for tier changes.
5.0-7.9 (Core)Acceptable with active monitoring. Size positions accordingly.
< 5.0 (Edge)Requires deep due diligence. Consider size limits.
not_assessedTreat as unreviewed exposure; require explicit internal approval

Using the MCP Server

With the MCP server, you can run the entire assessment with a single prompt:

"Run a due diligence report on the Gauntlet USDC vault at 0x8eB67A509616cd6A7c1B3c8C21D48FF57df3d458 on Ethereum"

This triggers the vault_due_diligence prompt which orchestrates multiple tool calls automatically.

On this page

Raw